Configuration Task List - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
9.1.2 Terminology
Public key algorithm: Key algorithm that involves different encryption key and
decryption key. A pair of keys are generated for each user: One is publicized as
public key; the other is reserved as private key. The information encrypted by one
key has to be decrypted by the other; the key pair therefore is generally used in
signature and authentication. In communication, if the sender signs with its private
key, the receiver needs to authenticate this signature with the sender's public key.
If the sender encrypt the information with the receiver's public key, then only the
receiver's private is capable of decryption.
Certificate authority (CA): Trustworthy entity issuing certificates to persons, PCs or
any other entities. CA deals with certificate requests, and checks applicant
information according to certificate management policy. Then it signs the
certificate with its private key and issues the certificate.
Registration authority (RA): Extension of CA. It forwards the entities' certificate
requests to CA, and digital certificates and certificate revocation list to directory
server, for directory browsing and query.
Light-weight directory access protocol (LDAP) server: LDAP provides a means to
access PKI repository, with the purpose of accessing and managing PKI
information. LDAP server supports directory browsing and enlists the user
information and digital certificates from a RA server. Then the user can get his or
others' certificates when accessing the LDAP server.
Certificate revocation list (CRL): A certificate has its lifetime, but CA can revoke a
certificate before its expiration date if the private key leaks or if the service ends.
Once a certificate is revoked, a CRL is released to announce its invalidity, where
lists a set of serial numbers of invalid certificates. CRL, stored in LDAP server,
provides an effective way to check the validity of certificates, and offers centralized
management of user notification and other applications.
9.1.3 Applications
PKI includes a set of security services using the technologies of public key and X.509
certification in distributed computing systems. It can issue certificates for various
purposes, such as Web user identity authentication, Web server identity authentication,
secure Email using S/MIME (secure/multipurpose internet mail extensions), virtual
private network (VPN), IP Security, Internet key exchange (IKE), and secure sockets
layer/transaction layer security (SSL/TLS). One CA can issue certificates to another CA,
to establish certification hierarchies.

9.1.4 Configuration Task List

PKI configuration includes applying to CA for a local certificate for a designated device
and authenticating validity of the certificate. The configuration involves:
3Com Corporation
9-2
Chapter 9 PKI Configuration