3com 2928 Guida Utente
1-2
Architecture of PKI
A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in
Figure 1-1
PKI architecture
Entity
An entity is an end user of PKI products or services, such as a person, an organization, a device like a
router or a switch, or a process running on a computer.
router or a switch, or a process running on a computer.
CA
A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates.
A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed
by publishing CRLs.
A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed
by publishing CRLs.
RA
A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. It only examines the qualifications of users; it does not sign certificates. Sometimes, a CA
assumes the registration management responsibility and therefore there is no independent RA. The
PKI standard recommends that an independent RA be used for registration management to achieve
higher security of application systems.
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. It only examines the qualifications of users; it does not sign certificates. Sometimes, a CA
assumes the registration management responsibility and therefore there is no independent RA. The
PKI standard recommends that an independent RA be used for registration management to achieve
higher security of application systems.
PKI repository
A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.
It stores and manages information like certificate requests, certificates, keys, CRLs and logs while
providing a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service. From
an LDAP server, an entity can retrieve digital certificates of its own and other entities.
It stores and manages information like certificate requests, certificates, keys, CRLs and logs while
providing a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service. From
an LDAP server, an entity can retrieve digital certificates of its own and other entities.
Applications of PKI
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure,
PKI has a wide range of applications. Here are some application examples.
PKI has a wide range of applications. Here are some application examples.