3com 2928 Guida Utente
1-3
VPN
A virtual private network (VPN) is a private data communication network built on the public
communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPSec)
in conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPSec)
in conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
Secure E-mail
E-mails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these
needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose Internet
Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with
signature.
needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose Internet
Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with
signature.
Web security
For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for
transparent and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates.
transparent and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates.
Operation of PKI
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificate. The following describes how it works:
1) An entity submits a certificate request to the CA.
2) The RA verifies the identity of the entity and then sends the identity information and the public key
the validity of certificate. The following describes how it works:
1) An entity submits a certificate request to the CA.
2) The RA verifies the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.
3) The CA verifies the digital signature, approves the application, and issues a certificate.
4) The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
4) The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.
5) The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6) The entity makes a request to the CA when it needs to revoke its certificate, while the CA approves
the request, updates the CRLs and publishes the CRLs on the LDAP server.
Configuring PKI
Configuration Task List
There are two PKI certificate request modes:
z
Manual: In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
submit a local certificate request for an entity.
z
Auto: In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request
modes require different configurations:
modes require different configurations:
Requesting a certificate manually
Perform the tasks in
to request a certificate manually.