Applications of pki, Operation of pki, Configuring pki in the web interface – H3C Technologies H3C SecPath F1000-E User Manual

277

LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information

and digital certificates from the RA server and provides directory navigation service. From an LDAP server,
an entity can retrieve digital certificates of its own and other entities.

Applications of PKI

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. Here are some application examples.
VPN—A virtual private network (VPN) is a private data communication network built on the public

communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec)

in conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can

address these needs. The secure email protocol that is currently developing rapidly is

Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer

of encrypted mails with signature.
Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for

transparent and secure communications at the application layer. With PKI, SSL enables encrypted

communications between a browser and a server. Both the communication parties can verify the identity

of each other through digital certificates.

Operation of PKI

In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check

the validity of certificate. The following describes how it works:

1.

An entity submits a certificate request to the CA.

2.

The RA verifies the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.

3.

The CA verifies the digital signature, approves the application, and issues a certificate.

4.

The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.

5.

The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.

6.

The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server.

Configuring PKI in the Web interface

Recommended configuration procedure

The firewall supports the following PKI certificate request modes:

•

Manual—In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair,
and submit a local certificate request for an entity.

•

Auto—In auto mode, an entity automatically requests a certificate through Simple Certification
Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it
has no local certificate or the present certificate is about to expire.