451
PKI operation
The following describes how a PKI entity requests a local certificate from a CA, and how an RA is
involved in entity enrollment:
1. A PKI entity submits a certificate request to the CA.
2. The RA verifies the identity of the entity and sends a digital signature containing the identity
information and the public key to the CA
3. The CA verifies the digital signature, approves the application, and issues a certificate.
4. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.
5. The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server.
Configuring PKI
The device supports the following PKI certificate request modes:
• Manual—In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair,
and submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Recommended configuration procedure for manually
requesting a certificate
Ste
1. Creating a PKI entity
(Required.)
Create a PKI en
tity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
entity, where the identity information is identified by an entity distinguished
name (DN). A CA identifies a certificate applicant uniquely by an entity DN.
To Next Page
Loading...
Need help?
General