No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI Working Mechanism

PKI Working Mechanism

On a PKI network, a PKI entity applies for a local certificate from the CA and the applicant device authenticates the certificate. Figure 17-9 shows the PKI working process.

Figure 17-9  PKI working process

  1. A PKI entity applies for a CA certificate (CA server's certificate) from the CA.

  2. When receiving the application request, the CA sends its own certificate to the PKI entity.

  3. The PKI entity installs the CA certificate.

    If the PKI entity uses SCEP for certificate application, it computes a digital fingerprint by using the hash algorithm on the received CA certificate, and compares the computed fingerprint with that pre-defined for the CA server. If the fingerprints are the same, the PKI accepts the CA certificate; otherwise, it discards the CA certificate.

  4. The PKI entity sends a certificate enrollment message (including the public key carried in the configured key pair and PKI entity information) to the CA.

    If the PKI entity uses SCEP for certificate application, it encrypts the enrollment message using the CA certificate's public key and signs the message using its own private key. If the CA server requires a challenge password, the enrollment message must contain a challenge password, which must be the same as the CA's challenge password.

  5. The CA receives the enrollment message from the PKI entity.

    If the PKI entity uses SCEP to apply for a local certificate, the CA uses its own private key to decrypt the enrollment message and the PKI entity's public key to decrypt the digital signature, and verifies the digital fingerprint. When the fingerprints are the same, the CA verifies the PKI entity's identity information. When the PKI entity's identity information passes verification, the CA accepts the application and issues a local certificate to the PKI entity. The CA uses the PKI entity's public key to encrypt the certificate and its own private key to digitally sign the certificate, and sends the certificate to the PKI entity. At the same time, the CA also sends the certificate to the certificate/CRL database.

  6. The PKI entity receives the certificate from CA.

    If the PKI entity has applied for a local certificate using SCEP, the PKI entity uses its own private key to decrypt the certificate and the CA's public key to decrypt the digital signature, and verifies the digital fingerprint. If the digital fingerprint is the same as its local one, the PKI entity accepts and installs the local certificate.

  7. The PKI entities in a communication session need to obtain and install each other's local certificates. The PKI entities can download the peer's local certificates through HTTP. In special scenarios, such as IPSec application, the PKI entities actively send their local certificates to the peer.

  8. After the peer's local certificate is installed on the local end, the local end uses CRL to check whether the peer certificate is valid.

  9. The PKI entities use the public keys in peer certificates for secure communication only after they confirm that the peer certificates are valid.

If an RA is available in a PKI system, the PKI entities also need to download the RA's certificate. The RA verifies the local certificate enrollment messages from PKI entities, and forwards the messages to the CA after verifications are passed.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145995

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next