Managing Certificates; Overview; Pki Terms; Pki Architecture - HP FlexNetwork NJ5000 User Manual

Managing certificates

Overview

The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through
public key technologies and digital certificates, and for verifying the identities of the digital certificate
owners.
A digital certificate is a binding of certificate owner identity information and a public key. Users can
get certificates, use certificates, and revoke certificates. By leveraging digital certificates and
relevant services like certificate and blacklist distribution, PKI supports authenticating the entities
involved in communication, and therefore guarantees the confidentiality, integrity, and
non-repudiation of data.

PKI terms

Digital certificate
A digital certificate is a file signed by a certificate authority (CA) that contains a public key and the
related user identity information. A simplest digital certificate contains a public key, an entity name,
and a digital signature from the CA. Generally, a digital certificate also includes the validity period of
the key, the name of the CA and the sequence number of the certificate. A digital certificate must
comply with the international standard of ITU-T_X.509. This document involves local certificate and
CA certificate. A local certificate is a digital certificate signed by a CA for an entity. A CA certificate,
also known as a "root certificate", is signed by the CA for itself.
CRL
An existing certificate might need to be revoked when, for example, the username changes, the
private key leaks, or the user stops the business. Revoking a certificate will remove the binding of the
public key with the user identity information. In PKI, the revocation is made through certificate
revocation lists (CRLs). When a certificate is revoked, the CA publishes one or more CRLs to show
all certificates that have been revoked. The CRLs contain the serial numbers of all revoked
certificates and provide an effective way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and
revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of
certification practice statement (CPS). A CA policy can be acquired through out-of-band means such
as phone, disk, and email. Because different CAs might use different methods to examine the
binding of a public key with an entity, make sure you understand the CA policy before selecting a
trusted CA for certificate request.

PKI architecture

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.
325