Cisco Cisco ASA 5515-X Adaptive Security Appliance 디자인 가이드
Design Guide
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 53
installs it on the computer, he or she can participate in the secured network. For CACs, this entire
process is handled when the CAC is provisioned.
Figure 1. Public Key Infrastructure Enrollment
PKI is used most frequently for encrypted e-mail communications and IPSec tunnel negotiation,
both of which use the identity and security features of the certificate. The identity components
determine the identity of the user, their level of access to the particular type of communication
under negotiation, and the encryption information that protects the communication from other
parties who are not allowed access. Communicating parties will exchange certificates and inspect
the presented information. The certificates are checked to see if they are within their validity period
and if the certificate was generated by a trusted PKI. If all the identity information is appropriate,
the public key is extracted from the certificate and used to establish an encrypted session.
Detailed documentation on PKI is readily available on the Internet or in numerous publications.
X.509 Certificate Fields
X.509 is the ubiquitous and well-known standard that defines basic PKI formats such as certificate
and Certificate Revocation List (CRL) format and enables basic interoperability. The standard has
been widely used for years with many Internet applications such as SSL or IPSec. The most
important pieces of information contained in the certificate are the:
●
Subject
●
Public key
●
Signature of the CA
●
Certificate serial number
●
Certificate expiration data
●
Algorithms used to generate the signature
●
Key usage.
The CAC certificates include each of these attributes, plus additional attributes that are needed for
authentication such as Subject Alternative Name (SAN) and Enhanced Key Usage (EKU).
Subject
The Subject consists of the Distinguished Name (DN), which is the certificate owner’s full name
and X.509 structure. For the CAC, this is in the format: