No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI System

PKI System

PKI System Architecture

The PKI system consists of the entity, CA, RA, and Certificate/CRL repository, as shown in Figure 15-1.

Figure 15-1  PKI system architecture

  • End entity

    An entity is an end user of PKI products or services. An entity can be an individual, an organization, a device (for example, a router or a switch), or a computer process.

  • CA

    The CA is the trust basis of the PKI and the trusted entity used to issue and manage digital certificates. A CA is used to issue certificates, specify certificate validity periods, and release CRLs.

  • RA

    The registration authority (RA) is the extension of the CA. The RA can be an independent agent or a part of the CA. The RA authenticates individual identities, manages CRLs, and generates and backs up key pairs. The international standard of PKI recommends to use an independent RA to manage registrations, which can improve the security o application systems.

  • Certificate/CRL repository

    The certificate or CRL repository stores certificates and CRLs for PKI entities to query and manage.


  • CA hierarchy

    The PKI system uses a multi-layer CA hierarchy, in which the CA on the top is the root CA and the other CAs are subordinate CAs. Upper-layer CAs issue and manage certificates for lower-layer CAs, and the CAs at the lowest layer issue certificates to end entities. Certificates issued by CAs at different layers form a certificate chain, in which each certificate is signed by the subsequent certificate. The end of a certificate chain is the root CA, which has a self-signed certificate.

    • The root CA is the first CA (trustpoint) in the PKI system. It issues certificates to subordinate CAs, PCs, users, and servers. In most certificate-based applications, users can find the root CA in certificate chains.
    • A subordinate CA must obtain a certificate from the root CA or another subordinate CA that has been authorized by the root CA to issue CA certificates.

    In a CA hierarchy, a subordinate CA obtains its CA certificate from the upper-layer CA, and the root CA creates a self-signed certificate.

  • CA types

    CAs are classified into the following types:
    • Self-signed CA: uses a self-signed certificate. The public key in the certificate is the same as the public key used to certify the digital signature.
    • Subordinate CA: uses a certificate issued by an upper-layer CA. The public key in the certificate is different from the public key used to certify the digital signature.
    • Root CA: is on the top of the CA hierarchy and trusted unconditionally by users. The root CA is the end of all certificate chains and signs its own certificate.
  • CA functions

    The main function of CAs is to issue and manage certificates. A CA is responsible for the following:
    • Receiving and verifying certificate applications from users
    • Determining whether to accept certificate applications from users
    • Issuing certificates to users or rejecting certificate applications
    • Receiving and processing certificate renewal requests
    • Responding to user requests to query or revoke certificates
    • Creating and issuing CRLs
    • Archiving certificates
    • Backing up and recovering keys
    • Archiving historical data


An RA helps CAs issue and manage certificates. It verifies user identities when receiving certificate enrollment and revocation requests, and determines whether to submit the requests to the corresponding CA.

An RA is usually integrated with a CA. Independent RAs can also be used to reduce CA workloads and enhance CA system security.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13383

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next