247
such as phone, disk, and email. As different CAs might use different methods to examine the
binding of a public key with an entity, make sure that you understand the CA policy before
selecting a trusted CA for certificate request.
PKI architecture
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.
Figure 80
PKI architecture
•
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device,
or a process running on a computer.
•
CA
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues
certificates, specifies the validity periods of certificates, and revokes certificates as needed by
publishing CRLs.
•
RA
A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and
key pair backup. The PKI standard recommends that an independent RA be used for registration
management to achieve higher security.
•
PKI repository
A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common
database. It stores and manages information like certificate requests, certificates, keys, CRLs and
logs when it provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service.
From an LDAP server, an entity can retrieve local and CA certificates of its own as well as
certificates of other entities.
PKI operation
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificates. Here is how it operates: