Pki Operation; Pki Applications; Pki Across Vpns - H3C S5830V2 Security Configuration Manual
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
PKI operation
The following describes how a PKI entity requests a local certificate from a CA, and how an RA is
involved in entity enrollment:
1.
A PKI entity submits a certificate request to the RA.
2.
The RA verifies the identity of the entity and sends a digital signature containing the identity
information and the public key to the CA.
3.
The CA verifies the digital signature, approves the request, and issues a certificate.
4.
After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other
certificate repositories to provide directory navigation services, and notifies the PKI entity that the
certificate is successfully issued.
5.
The entity obtains the certificate from the certificate repository.
PKI applications
The PKI technology can satisfy security requirements of online transactions. As an infrastructure, PKI has
a wide range of applications. Here are some application examples.
VPN—A VPN is a private data communication network built on the public communication
•
infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.
Secure emails—PKI can address the email requirements for confidentiality, integrity, authentication,
•
and non-repudiation. A common secure email protocol is Secure/Multipurpose Internet Mail
Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with
signature.
Web security—The SSL protocol can be used to establish a secure connection between a client and
•
a Web server. During the SSL handshake, both parties can use PKI to identity the peer identity by
digital certificates.
PKI across VPNs
An enterprise might have multiple branches in different VPNs with isolated services. If users in the
branches request certificates from the CA server in the headquarters VPN, PKI across VPNs is required.
As shown in
3, the PE device that connects to the PKI entity transmits the request to the CA server through MPLS L3VPN.
After the CA server receives the request and issues the certificate, the PE device that connects to the CA
server transmits the certificate to the PKI entity.
For information about MPLS L3VPN, see MCE Configuration Guide.
Figure
41, if the PKI entity in VPN 1 wants to request a certificate from the CA server in VPN
127
Advertisement
Table of Contents
Troubleshooting
