64
PKI
Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for
securing network services.
PKI uses digital certificates to distribute and employ public keys, and provides network
communication and e-commerce with security services such as user authentication, data
confidentiality, and data integrity.
PKI provides certificate management for SSL.
Digital certificate and CRL
•
Digital
certificate
—An electronic document signed by a CA that binds a public key with the
identity of its owner.
A digital certificate includes the following information:
{
Issuer name.
{
Subject name (name of the individual or group to which the certificate is issued).
{
Subject's public key.
{
Signature of the CA.
{
Validity period.
A digital certificate must comply with the international standards of ITU-T X.509, of which X.509
v3 is the most commonly used.
This help covers the following types of certificates:
{
CA certificate
—Certificate of a CA. Multiple CAs in a PKI system form a CA tree, with the
root CA at the top. The root CA generates a self-signed certificate, and each lower level CA
holds a CA certificate issued by the CA immediately above it. The chain of these certificates
forms a chain of trust.
{
Local certificate
—Digital certificate issued by a CA to a PKI entity, which contains the
entity's public key.
•
CRL
—A certificate revocation list (CRL) is a list of serial numbers for certificates that have been
revoked. A CRL is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the
revoked certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
{
The certificate subject name is changed.
{
The private key is compromised.
{
The association between the subject and CA is changed. For example, when an employee
terminates employment with an organization.
PKI architecture
A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository.
•
PKI
entity
—An end user using PKI certificates. The PKI entity can be an operator, an
organization, a device like a router or a switch, or a process running on a computer. A valid PKI
entity must include one or more of following identity categories:
{
Distinguished name (DN) of the entity, which further includes the common name, county
code, locality, organization, unit in the organization, and state. If you configure the DN for an
entity, a common name is required.
{
FQDN of the entity.
{
IP address of the entity.