Table of Contents
Advertisement
1830
C
97: PKI C
HAPTER
ONFIGURATION
A CA may publish multiple CRLs when the number of revoked certificates is so
large that publishing them in a single CRL may degrade network performance.
CA policy
A CA policy is a set of criteria that a CA follows in managing certificate requests
and in issuing, revoking, and publishing CRLs. Usually, a CA advertises its policy in
the form of certification practice statement (CPS), which can be acquired through
out-of-band means such as phone, disk, and e-mail or through other means. Since
different CAs may use different methods to check the binding of a public key with
an entity, make sure that you understand the CA policy before selecting a trusted
CA for certificate request.
Architecture of PKI
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI
repository, as shown in
Figure
532.:
Figure 532 PKI architecture
Entity
PKI client
PKI manager
RA
Issue a
certificate
CA
Issue a certificate
/ CRL
Entity
An entity is an end user of PKI products or services, like a person, an organization,
a device (for instance, a router or a switch) or a progress running on a computer.
CA
A CA is a trusted entity responsible for the issuing and management of digital
certificates. Its function includes: issuing certificates, specifying the validity period
of a certificate, and revoking a certificate as needed by publishing CRLs.
RA
A registration authority (RA) is an extended part of a CA or an independent
authority. An RA can implement functions such as identity authentication, CRL
management, key pair generation and key pair backup. The PKI standard
recommends that an independent RA be used for registration management to
achieve higher security of application systems.
PKI repository
A PKI repository includes a lightweight directory access protocol (LDAP) server and
some general databases that stores and manages information like certificate
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
