Operation Manual – PKI
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 PKI Configuration
1-3
I. Entity
An entity is an end user of PKI products or services, such as a person, an organization,
a device like a switch, or a process running on a computer.
II. CA
A CA is a trusted entity responsible for issuing and managing digital certificates. A CA
issues certificates, specifies the validity period of a certificate, and revokes a certificate
as needed by publishing CRLs.
III. RA
A registration authority (RA) is an extended part of a CA or an independent authority. An
RA can implement functions including identity authentication, CRL management, key
pair generation and key pair backup. The PKI standard recommends that an
independent RA be used for registration management to achieve higher security of
application systems.
IV. PKI repository
A PKI repository includes a Lightweight Directory Access Protocol (LDAP) server and
some common databases that stores and manages information like certificate requests,
certificates, keys, CRLs and logs while providing a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server
stores user information and digital certificates from the RA server and provides
directory navigation service. From an LDAP server, an entity can retrieve local and CA
certificates of its own as well as certificates of other entities.
1.1.4 Applications of PKI
The PKI technology can satisfy the security requirements of online transactions. As an
infrastructure, PKI has a wide range of applications. Here are some application
examples.
I. VPN
A virtual private network (VPN) is a proprietary data communication network built over
the public communication infrastructure. A VPN can leverage network layer security
protocols (for instance, IPSec) in conjunction with PKI-based encryption and digital
signature technologies for confidentiality.
II. Secure E-mail
E-mails also require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. The secure E-mail protocol that is currently developing
rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on
PKI and allows for transfer of encrypted mails and mails with signature.