Pki Architecture - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (63 pages) ,
- Configuration manual (132 pages)
Table of Contents
Advertisement
Certificate revocation list
A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A CRL
is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the revoked
certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
The certificate subject name is changed.
•
The private key is compromised.
•
•
The association between the subject and CA is changed. For example, when an employee
terminates employment with an organization.
CA policy
A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke
certificates, and to publish CRLs. Typically, a CA advertises its policy in a certification practice statement
(CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make
sure you understand the CA policy before you select a trusted CA for certificate request because different
CAs might use different policies.
PKI architecture
A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in
Figure 73 PKI architecture
PKI entity—An end user using PKI certificates. The PKI entity can be an operator, an organization,
•
a device like a router or a switch, or a process running on a computer. PKI entities use SCEP to
communicate with the CA or RA.
•
CA—Certification authority that grants and manages certificates. A CA issues certificates, defines
the certificate validity periods, and revokes certificates by publishing CRLs.
RA—Registration authority, which offloads the CA by processing enrollment requests. The RA
•
accepts certificate requests, verifies user identity, and determines whether to ask the CA to issue
certificates.
The RA is optional in a PKI system. In cases when the CA operates over a wide geographical area
or when there is security concern over exposing the CA to direct network access, it is advisable to
217
Figure
73.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
