Managing certificates, Overview, Recommended configuration procedure – H3C Technologies H3C MSR 50 User Manual
Page 485
100
Managing certificates
Overview
Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called
asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and
decryption. Data encrypted with the public key can be decrypted only with the private key, and vice
versa.
PKI uses digital certificates to distribute and employ public keys, and provides network communication
and e-commerce with security services such as user authentication, data confidentiality, and data
integrity.
H3C's PKI system provides certificate management for IPsec, SSL, and WAPI.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
•
VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
•
Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. A common secure email protocol is S/MIME, which is based on PKI and
allows for transfer of encrypted mails with signature.
•
Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates. For more information about PKI, see Security
Configuration Guide.
Recommended configuration procedure
The system supports the following PKI certificate request modes:
•
Manual—In manual mode, you need to manually retrieve a CA certificate, generate a local RSA
key pair, and submit a local certificate request for an entity.
•
Auto—In auto mode, an entity automatically requests a certificate through the SCEP when it has no
local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.