Pki Configuration; Introduction To Pki; Pki Overview; Pki Terms - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
PKI configuration
Introduction to PKI
PKI overview
The Public Key Infrastructure (PKI) is a general security infrastructure used to provide information security
through public key technologies.
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key
pair consists of a private key and a public key. The private key must be kept secret but the public key
needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem with PKI is how to manage the public keys. PKI employs the digital certificate mechanism
to solve this problem. The digital certificate mechanism binds public keys to their owners, helping
distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
HP's PKI system provides certificate management for Secure Sockets Layer (SSL).
PKI terms
Digital certificate
•
A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the
identity information of the entity, the public key of the entity, the name and signature of the CA, and the
validity period of the certificate. The signature of the CA ensures the validity and authority of the
certificate. A digital certificate must comply with the international standard of ITU-T X.509. The most
common standard is X.509 v3.
This document discusses two types of certificates: local certificate and CA certificate. A local certificate
is a digital certificate signed by a CA for an entity. A CA certificate is the certificate of a CA. If multiple
CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top
level. The root CA has a CA certificate signed by itself and each lower level CA has a CA certificate
signed by the CA at the next higher level.
CRL
•
An existing certificate might need to be revoked when, for example, the username changes, the private
key leaks, or the user stops the business. Revoking a certificate removes the binding of the public key with
the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).
Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have
been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective
way for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance. A CA uses CRL distribution points to indicate
the URLs of these CRLs.
CA policy
•
240
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
