Introduction to PKI
PKI, the abbreviation for Public Key Infrastructure, is a system that provides public key encryption and digital signature service. PKI is designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repudiation of data transmitted over Internet. The certificate of PKI is managed by a public key by means of binding the public key with a respective user identity by a trusted third-party, thus authenticating the user over Internet. A PKI system consists of Public Key Cryptography, CA, RA, Digital Certificate and related PKI storage library.
The following section describes PKI terminology:
- Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key. The public key is widely distributed, while the private key is known only to the recipient. The two keys in the key pair complement each other, and the data encrypted by one key can only be decrypted by another key of the key pair.
- CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts requests for certificates and verifies the information provided by the applicants based on certificate management policy. If the information is legal, CA will sign the certificates with its private key and issue them to the applicants.
- RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and CRL issued by CA to directory servers in order to provide directory browsing and query service.
- CRL: Each certificate is designed with an expiration. However, CA might revoke a certificate before the date of expiration due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL to announce the certificate is invalid, and list the series number of the invalid certificate.
The following modules of security devices support PKI:
- IKE VPN: When a user is creating an IKE VPN, the device supports PKI.
- HTTPS/SSH: When a user is accessing a security device over HTTPS or SSH, the device supports PKI.
