Huawei AR1200-S Configuration Manual page 250

Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security
l
l
l
PKI Working Process
On a PKI network, PKI is configured on the AR1200-S to allow the AR1200-S to obtain a local
certificate from a CA and verify certificate validity. The PKI working process is as follows:
1.
2.
3.
4.
5.
6.
PKI Configuration Roadmap
Figure 12-2
Issue 02 (2012-03-30)
PKI repository
The PKI repository stores certificates and CRLs for PKI entities to query and manage.
PKI protocol suite
The PKI protocol suite consists of the Public Key Infrastructure And X.509 (PKIX) and
Public-Key Cryptography Standards (PKCS).
The PKI and X.509 were developed by the PKIX Working Group. PKIX defines a series
of standards and protocols used for communication between PKI entities or between a PKI
entity and a PKI repository. These standards define operation rules, certificate formats and
content, CRL formats and content, cryptography and signature algorithms, PKI policies,
PKI repository protocols, and certificate management protocols.
PKCS was jointly developed by RSA Laboratories and other secure systems developers to
implement cooperation between public-key cryptography systems. It defines various key
and data formats, algorithms and application programming interfaces, abstract syntax
notation, and basic encoding rules. The data formats and algorithm defined in PKCS are
the basis of PKI implementation.
The Rivest-Shamir-Adleman (RSA) algorithm is one of commonly used public algorithms.
PKCS#1 defines the RSA cryptography specifications, including formats for RSA public
key functions, calculation methods for digital signatures, formats for digital signatures and
data to be signed, syntax for public and private keys.
Other protocols
Some protocols do not belong to the PKCS family, but PKCS uses encoding rules in these
protocols to describe objects. These protocols include Abstract Syntax Notation One (ASN.
1), Distinguished Encoding Rules (DER), Basic Encoding Rules (BER), and Base64.
ASN.1 (also called X.208) defines rules for describing the structure of objects and data
structures in representing, encoding, transmitting, and decoding data.
An entity applies for a certificate from a registration authority (RA).
The RA authenticates the entity's identity and sends the entity's identity information and
public key as a digital signature to a certificate authority (CA).
The CA authenticates the digital signature, issues a certificate if it approves the entity's
request, and sends it to the RA.
The RA receives the certificate and notifies the entity that its certificate has been issued.
The entity obtains the certificate and uses it to securely communicate with other entities by
means of encrypted data or digital signatures.
The entity sends a revocation request to the CA if it needs to revoke its certificate. The CA
approves the entity's revocation request and updates its CRL.
shows the PKI configuration roadmap.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12 PKI Configuration
236