326
Figure 350 PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device like
a router or a switch, or a process running on a computer.
CA
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues
certificates, specifies the validity periods of certificates, and revokes certificates as needed by
publishing CRLs.
RA
An RA is an extended part of a CA or an independent authority. An RA can implement functions
including identity authentication, CRL management, key pair generation and key pair backup. It only
examines the qualifications of users. It does not sign certificates. Sometimes, a CA assumes the
registration management responsibility and no independent RA exists. The PKI standard
recommends that an independent RA be used for registration management to achieve higher
security of application systems.
PKI repository
A PKI repository can be an LDAP server or a common database. It stores and manages information
like certificate requests, certificates, keys, CRLs and logs, and it provides a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service.
From an LDAP server, an entity can retrieve digital certificates of its own and other entities.
How PKI works
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can
check the validity of certificate. The following describes how it works:
1.
An entity submits a certificate request to the CA.
2.
The RA verifies the identity of the entity and then sends the identity information and the public
key with a digital signature to the CA.
3.
The CA verifies the digital signature, approves the application, and issues a certificate.
4.
The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.
5.
The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
Содержание FlexNetwork NJ5000
Страница 12: ...x Index 440 ...
Страница 39: ...27 Figure 16 Configuration complete ...
Страница 67: ...55 Figure 47 Displaying the speed settings of ports ...
Страница 78: ...66 Figure 59 Loopback test result ...
Страница 158: ...146 Figure 156 Creating a static MAC address entry ...
Страница 183: ...171 Figure 171 Configuring MSTP globally on Switch D ...
Страница 243: ...231 Figure 237 IPv6 active route table ...
Страница 293: ...281 Figure 298 Ping operation summary ...