Architecture Of Pki - H3C S3610-28P Operation Manual

Operation Manual – PKI
H3C S3610&S5510 Series Ethernet Switches
CA for an entity, while a CA certificate, also known as root certificate, is signed by the
CA for itself.
II. CRL
An existing certificate may need to be revoked when, for example, the user name
changes, the private key leaks, or the user stops the business. Revoking a certificate is
to remove the binding of the public key with the user identity information. In PKI, the
revocation is made well known through certificate revocation lists (CRLs). Whenever a
certificate is revoked, the CA publishes one or more CRLs to announce that the
certificate is invalid. The CRLs contains the serial numbers of all certificates that are
revoked and function an effective way for checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so large
that publishing them in a single CRL may degrade network performance.
III. CA policy
A CA policy is a set of criteria that a CA follows in managing certificate requests and in
issuing, revoking, and publishing CRLs. Usually, a CA advertises its policy in the form of
certification practice statement (CPS), which can be acquired through out-of-band
means such as phone, disk, and e-mail or through other means. Since different CAs
may use different methods to check the binding of a public key with an entity, make sure
that you understand the CA policy before selecting a trusted CA for certificate request.

1.1.3 Architecture of PKI

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI
repository, as shown in
Figure 1-1 PKI architecture
Figure 1-1.
1-2
Chapter 1 PKI Configuration