Pki Architecture; Pki Operation - HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual

binding of a public key with an entity, make sure you understand the CA policy before selecting a
trusted CA for certificate request.

PKI architecture

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown
Figure 71.
in
Figure 71 PKI architecture
•
PKI entity—A PKI entity is an end user of PKI products or services, such as a person, an
organization, a device like a router or a switch, or a process running on a computer.
•
CA—A CA is a trusted authority responsible for issuing and managing digital certificates. A CA
issues certificates, specifies the validity periods of certificates, and revokes certificates as
needed by publishing CRLs.
•
RA—A registration authority (RA) is an extended part of a CA or an independent authority. An
RA can implement functions including identity authentication, CRL management, key pair
generation and key pair backup. The PKI standard recommends that an independent RA be
used for registration management to achieve higher security of application systems.
•
PKI repository—A PKI repository can be a Lightweight Directory Access Protocol (LDAP)
server or a common database. It stores and manages information like certificate requests,
certificates, keys, CRLs and logs when it provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service.
From an LDAP server, an entity can retrieve local and CA certificates of its own as well as
certificates of other entities.

PKI operation

In a PKI-enabled network, an entity can request a local certificate from the CA and the device can
check the validity of certificates. Here is how it works:
1. An entity submits a certificate request to the RA.
2. The RA reviews the identity of the entity and then sends the identity information and the public
key with a digital signature to the CA.
3. The CA verifies the digital signature, approves the application, and issues a certificate.
4. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution
points to provide directory navigation service, and notifies the entity that the certificate is
successfully issued.
242