Pki operation, Pki applications, Configuring pki in the web interface – H3C Technologies H3C SecBlade LB Cards User Manual

110

PKI operation

In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check

the validity of certificates. Here is how it works:

1.

An entity submits a certificate request to the RA.

2.

The RA reviews the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.

3.

The CA verifies the digital signature, approves the application, and issues a certificate.

4.

The RA receives the certificate from the CA, sends it to the LDAP server or other distribution points
to provide directory navigation service, and notifies the entity that the certificate is successfully

issued.

5.

The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.

6.

The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server or other distribution points.

PKI applications

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. The following lists some common application examples:

•

VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols in conjunction with PKI-based

encryption and digital signature technologies for confidentiality.

•

Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure email protocol that is developing rapidly is S/MIME, which is
based on PKI and allows for transfer of encrypted mails with signature.

•

Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted

communications between a browser and a server. Both of the communication parties can verify

each other's identity through digital certificates.

Configuring PKI in the Web interface

Recommended configuration procedure

The device supports the following PKI certificate request modes:

•

Manual—In manual mode, you need to manually retrieve the CA certificate, generate a local RSA

key pair, and submit a local certificate request for an entity.

•

Auto—In auto mode, an entity automatically requests a certificate through Simple Certification
Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it

has no local certificate or the existing certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.