Pki repository, Applications of pki, Secure e-mail – H3C Technologies H3C WX6000 Series Access Controllers User Manual

68-3

CA

A CA is a trusted entity responsible for issuing and managing digital certificates. A CA issues certificates,
specifies the validity period of a certificate, and revokes a certificate as needed by publishing CRLs.

RA

A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. The PKI standard recommends that an independent RA be used for registration
management to achieve higher security of application systems.

PKI repository

A PKI repository includes a Lightweight Directory Access Protocol (LDAP) server and some common
databases that stores and manages information like certificate requests, certificates, keys, CRLs and
logs while providing a simple query function.

LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service. From
an LDAP server, an entity can retrieve local and CA certificates of its own as well as certificates of other
entities.

Applications of PKI

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure,
PKI has a wide range of applications. Here are some application examples.

VPN

A virtual private network (VPN) is a proprietary data communication network built over the public
communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPSec)
in conjunction with PKI-based encryption and digital signature technologies for confidentiality.

Secure E-mail

E-mails also require confidentiality, integrity, authentication, and non-repudiation. PKI can address
these needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose
Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails
and mails with signature.

Web security

For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for
transparent and secure communications at the application layer. With PKI, SSL enables
communications with encryption between a browser and a server. Both the communication parties can
identify the identity of each other through digital certificates.

Operation of PKI

In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificates. Here is how it works:

1) An entity submits a certificate request to the CA.

2) RA reviews the identity of the entity and then sends the identity information and the public key with

a digital signature to the CA.

3) The CA validates the digital signature, approves the application, and issues a certificate.