Pki Architecture; Pki Operation - HP FlexFabric 5930 Series Security Configuration Manual

Hide thumbs Also See for FlexFabric 5930 Series:

Configuration manuals (467 pages)

Command reference manual (87 pages)

Installation manual (73 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

Table of Contents

(CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make

sure you understand the CA policy before you select a trusted CA for certificate request because different

CAs might use different policies.

PKI architecture

A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in

Figure 18 PKI architecture

PKI entity—A PKI entity is an end user or host using PKI certificates. The PKI entity can be an

•

operator, an organization, a device like a router or a switch, or a process running on a computer.

The SCEP is a protocol that used by the PKI entity to communicate with the CA and RA.

•

CA—A CA is a trusted authority that issues and manages digital certificates. A CA issues

certificates, defines the certificate validity periods, and revokes certificates by publishing CRLs.

RA—In a PKI system with complex CA hierarchical structures, RAs, which are trusted by CAs,

•

manage registration requests to reduce the burden on CAs. An RA accepts certificate requests,

verifies user identity, and determines whether to ask the CA to issue certificates. RAs are not

allowed to issue certificates.

A CA and its trusted RAs should be on different devices to avoid direct interaction between the CA

and external devices for higher security of the private key of the CA.

•

Repository—A certificate/CRL repository, also known as a distribution point, stores certificates and

CRLs, and distributes these certificates and CRLs to PKI entities. It also provides the query function.

A PKI repository can be a directory server using Lightweight Directory Access Protocol (LDAP) or

HTTP protocol, and LDAP is commonly used.

LDAP is a protocol for accessing and managing PKI information. An LDAP server stores the digital

certificates and CRLs from the CA/RA server and provides directory navigation service. From an

LDAP server, an entity can obtain the certificates of its own and other entities, as well as the CRLs.

PKI operation

The following describes how a PKI entity requests a local certificate from a CA, and how an RA is

involved in entity enrollment:

A PKI entity submits a certificate request to the RA.

Figure

18.

Table of Contents

Pki Architecture; Pki Operation - HP FlexFabric 5930 Series Security Configuration Manual

PKI architecture

PKI operation

Troubleshooting

Related Manuals for HP FlexFabric 5930 Series

Related Content for HP FlexFabric 5930 Series

Table of Contents