Configuring Pki; Pki Terms - HP A5830 Series Configuration Manual

Configuring PKI

PKI is a general security infrastructure used to provide information security through public key
technologies.
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key
pair consists of a private key and a public key. The private key must be kept secret but the public key
needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
One problem with PKI is how to manage the public keys. PKI employs the digital certificate mechanism
to solve this problem. The digital certificate mechanism binds public keys to their owners, helping to
securely distribute public keys in large networks.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
HP's PKI system provides certificate management for SSL.

PKI terms

Digital certificate
A digital certificate is a file signed by a CA for an entity. It includes mainly the identity information of the
entity, the public key of the entity, the name and signature of the CA, and the validity period of the
certificate. The signature of the CA ensures the validity and authority of the certificate. A digital
certificate must comply with the international standard of ITU-T X.509. The most common standard is
X.509 v3.
This document discusses two types of certificates: local certificate and CA certificate. A local certificate is
a digital certificate signed by a CA for an entity. A CA certificate is the certificate of a CA. If multiple
CAs are trusted by different users in a PKI system, the CAs form a CA tree with the root CA at the top
level. The root CA has a CA certificate signed by itself, and each lower level CA has a CA certificate
signed by the CA at the next higher level.
CRL
An existing certificate might need to be revoked when, for example, the username changes, the private
key leaks, or the user stops the business. Revoking a certificate removes the binding of the public key
with the user identity information. In PKI, the revocation is made through CRLs. Whenever a certificate is
revoked, the CA publishes one or more CRLs to show all certificates that have been revoked. The CRLs
contain the serial numbers of all revoked certificates and provide an effective way for checking the
validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL might degrade network performance. A CA uses CRL distribution points to indicate
the URLs of these CRLs.
CA policy
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of CPS. A CA policy can
be acquired through an out-of-band method such as phone, disk, and email. Because different CAs
147