Pki Architecture; Pki Operation - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
•
The association between the subject and CA is changed. For example, when an employee
terminates employment with an organization.
CA policy
A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke
certificates, and to publish CRLs. Typically, a CA advertises its policy in a certification practice
statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and
email. Make sure you understand the CA policy before you select a trusted CA for certificate request
because different CAs might use different policies.
PKI architecture
A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in
82.
Figure 82 PKI architecture
t e
c a
i f i
r t
r y
e
t o
C
s i
o
p
r e
L
/ C R
Issue a
certificate
•
PKI entity—An end user using PKI certificates. The PKI entity can be an operator, an
organization, a device like a router or a switch, or a process running on a computer. PKI entities
use SCEP to communicate with the CA or RA.
•
CA—Certification authority that grants and manages certificates. A CA issues certificates,
defines the certificate validity periods, and revokes certificates by publishing CRLs.
•
RA—Registration authority, which offloads the CA by processing certificate enrollment requests.
The RA accepts certificate requests, verifies user identity, and determines whether to ask the
CA to issue certificates.
The RA is optional in a PKI system. In cases when there is security concern over exposing the
CA to direct network access, it is advisable to delegate some of the tasks to an RA. Then, the
CA can concentrate on its primary tasks of signing certificates and CRLs.
•
Certificate/CRL repository—A certificate distribution point that stores certificates and CRLs,
and distributes these certificates and CRLs to PKI entities. It also provides the query function. A
PKI repository can be a directory server using the LDAP or HTTP protocol, of which LDAP is
commonly used.
PKI operation
The following workflow describes how a PKI entity requests a local certificate from a CA that has
RAs:
1.
A PKI entity submits a certificate request to the RA.
Entity
RA
Issue a certificate/CRL
PKI user
PKI
management
authorities
CA
273
Figure
Advertisement
Table of Contents
Troubleshooting
