Ca policy, Architecture of pki, Entity – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 649
68-2
the name of the CA and the sequence number of the certificate. A digital certificate must comply with the
international standard of ITUTX.5.9. This manual involves two types of certificates: local certificate and
CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CA certificate,
also known as root certificate, is signed by the CA for itself.
CRL
An existing certificate may need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public
key with the user identity information. In PKI, the revocation is made well known through certificate
revocation lists (CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to
announce that the certificate is invalid. The CRLs contains the serial numbers of all certificates that are
revoked and function an effective way for checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL may degrade network performance.
CA policy
A CA policy is a set of criteria that a CA follows in managing certificate requests and in issuing, revoking,
and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement
(CPS), which can be acquired through out-of-band means such as phone, disk, and e-mail or through
other means. Since different CAs may use different methods to check the binding of a public key with an
entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request.
Architecture of PKI
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in
.
Figure 68-1
PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device like a
switch, or a process running on a computer.