Managing certificates

PKI overview

The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies, and it is the most widely applied encryption mechanism currently.

H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).

PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.

A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners, helping distribute public keys in large networks securely.

With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity.

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples:

• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure email protocol that is currently developing rapidly is

Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature.

• Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates.

NOTE:

For more information about PKI, see

Security Configuration Guide.

Configuring PKI

The system supports the following PKI certificate request modes:

•

Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.

• Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification

Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations.

450

Recommended configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required.

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.

2. Creating a PKI domain

Required.

Create a PKI domain, setting the certificate request mode to Manual.

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.

3. Generating an RSA key pair

Required.

Generate a local RSA key pair.

By default, no local RSA key pair exists.

Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, and the public key is transferred to the CA along with some other information.

4. Retrieving the CA certificate

IMPORTANT:

If a local certificate already exists, you must remove the certificate before generating a new key pair, so as to keep the consistency between the key pair and the local certificate.

Required.

Certificate retrieval serves the following purposes:

•

Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count,

•

Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA certificate retrieval operation. This will avoid possible mismatch between certificates and registration information resulting from relevant changes. To retrieve the CA certificate, you must remove the CA certificate and local certificate first.

451

Step Remarks

5. Requesting a local certificate

Required.

When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate.

A certificate request can be submitted to a CA in online mode or offline mode.

•

In online mode, if the request is granted, the local certificate will be retrieved to the local system automatically.

•

In offline mode, you must retrieve the local certificate by an out-of-band means.

6. Destroying the RSA key pair

IMPORTANT:

If a local certificate already exists, you cannot perform the local certificate retrieval operation. This will avoid possible mismatch between the local certificate and registration information resulting from relevant changes. To retrieve a new local certificate, you must remove the CA certificate and local certificate first.

Optional.

If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved.

Destroying the existing RSA key pair also destroys the corresponding local certificate.

Required if you request a certificate in offline mode.

Retrieve an existing certificate and display its contents.

7. Retrieving and displaying a certificate

8. Retrieving and displaying a CRL

IMPORTANT:

•

If you request a certificate in offline mode, you must retrieve the CA certificate and local certificate by an out-of-band means.

•

Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.

Optional.

Retrieve a CRL and display its contents.

Recommended configuration procedure for automatic request

Step Remarks

1. Creating a PKI entity

Required.

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.

452

Step Remarks

2. Creating a PKI domain

Required.

Create a PKI domain, setting the certificate request mode to Auto.

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.

3. Destroying the RSA key pair

Optional.

If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved.

Destroying the existing RSA key pair also destroys the corresponding local certificate.

Optional.

Retrieve an existing certificate and display its contents.

4. Retrieving and displaying a certificate

5. Retrieving and displaying a CRL

IMPORTANT:

•

Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.

•

If a CA certificate already exists, you cannot retrieve another CA certificate.

This restriction avoids inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, remove the existing CA certificate and local certificate first.

Optional.

Retrieve a CRL and display its contents.

Creating a PKI entity

1.

Select Authentication > Certificate Management from the navigation tree.

The PKI entity list page is displayed by default.

Figure 479 PKI entity list

2.

Click Add to enter the PKI entity configuration page.

453

Figure 480 PKI entity configuration page

3.

4.

Configure the parameters as described in

Table 148 .

Click Apply.

Table 148 Configuration items

Item Description

Entity Name Enter the name for the PKI entity.

Common Name Enter the common name for the entity.

IP Address

FQDN

Enter the IP address of the entity.

Enter the fully qualified domain name (FQDN) for the entity.

An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www indicates the host name and whatever.com the domain name.

Country/Region

Code

State

Locality

Organization

Enter the country or region code for the entity.

Enter the state or province for the entity.

Enter the locality for the entity.

Enter the organization name for the entity.

Organization Unit Enter the unit name for the entity.

Creating a PKI domain

1.

Select Authentication > Certificate Management from the navigation tree.

454

2.

Click the Domain tab.

Figure 481 PKI domain list

3.

Click Add to enter the PKI domain configuration page.

Figure 482 PKI domain configuration page

4.

5.

Configure the parameters as described in

Table 149 .

Click Apply.

Table 149 Configuration items

Item Description

Domain Name Enter the name for the PKI domain.

CA Identifier

Entity Name

Enter the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.

In offline mode, this item is optional. In other modes, this item is required.

Select the local PKI entity.

When submitting a certificate request to a CA, an entity needs to show its identity information.

Available PKI entities are those that have been configured.

455

Item Description

Institution

Select the authority for certificate request.

•

CA—Indicates that the entity requests a certificate from a CA.

•

RA—Indicates that the entity requests a certificate from an RA.

RA is recommended.

Requesting URL

Enter the URL of the RA.

The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority.

In offline mode, this item is optional. In other modes, this item is required.

IMPORTANT:

This item does not support domain name resolution.

LDAP IP

Port

Version

Request Mode

Enter the IP address, port number and version of the LDAP server.

In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually addressed by deploying an LDAP server.

Password Encrypt

Password

Fingerprint Hash

Fingerprint

Select the online certificate request mode, which can be auto or manual.

Select this box to display the password in cipher text.

This box is available only when the certificate request mode is set to Auto.

Enter the password for certificate revocation.

This item is available only when the certificate request mode is set to Auto.

Specify the fingerprint used for verifying the CA root certificate.

After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.

•

If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint must a string of 32 characters in hexadecimal notation.

•

If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint must a string of 40 characters in hexadecimal notation.

•

If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will not verify the CA root certificate, and you yourself must make sure that the CA server is trusted.

Polling Count

Polling Interval

IMPORTANT:

The fingerprint must be configured if you specify the certificate request mode as Auto. If you specify the certificate request mode as Manual, you can leave the fingerprint settings null. If you do not configure the fingerprint, the entity will not verify the CA root certificate and you yourself must make sure that the CA server is trusted.

Set the polling interval and attempt limit for querying the certificate request status.

After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

Enable CRL

Checking

Click this box to specify that CRL checking is required during certificate verification.

456

Item Description

CRL Update Period

Enter the CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs.

This item is available when the Enable CRL Checking box is selected.

By default, the CRL update period depends on the next update field in the CRL file.

CRL URL

Enter the URL of the CRL distribution point.

This item is available when the Enable CRL Checking box is selected.

When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.

IMPORTANT:

This item does not support domain name resolution.

Generating an RSA key pair

1.

2.

Select Authentication > Certificate Management from the navigation tree

Click the Certificate tab.

Figure 483 Certificate configuration page

3.

Click Create Key to enter RSA key pair parameter configuration page.

Figure 484 Key pair parameter configuration page

4.

5.

Set the key length.

Click Apply.

457

Destroying the RSA key pair

1.

Select Authentication > Certificate Management from the navigation tree.

2.

3.

4.

Click the Certificate tab.

Click Destroy Key to enter RSA key pair destruction page.

Click Apply to destroy the existing RSA key pair and the corresponding local certificate.

Figure 485 Key pair destruction page

Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server and save it locally.

To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an out-of-band means like FTP, disk, email and then import it into the local PKI system.

To retrieve a certificate:

1.

2.

3.

Select Authentication > Certificate Management from the navigation tree.

Click the Certificate tab.

Click Retrieve Cert to enter PKI certificate retrieval page.

Figure 486 PKI certificate retrieval page

4.

5.

Configure the parameters as described in

Table 150 .

Click Apply.

Table 150 Configuration items

Item Description

Domain Name Select the PKI domain for the certificate.

Certificate Type Select the type of the certificate to be retrieved, which can be CA or local.

Enable Offline

Mode

Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like

FTP, disk, or email) and then import the certificate into the local PKI system.

458

Item Description

Get File From

Device

Get File From PC

Specify the path and name of the certificate file if you retrieve the certificate in offline mode.

•

If the certificate file is saved on the device, select Get File From Device and then specify the path of the file on the device.

•

If the certificate file is saved on a local PC, select Get File From PC and. then specify the path to the file and select the partition of the device for saving the file.

Password

Enter the password for protecting the private key if you retrieve the certificate in offline mode. The password was specified when the certificate was exported.

6.

After retrieving a certificate, click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate.

Figure 487 Certificate information

Requesting a local certificate

1.

2.

3.

Select Authentication > Certificate Management from the navigation tree.

Click the Certificate tab.

Click Request Cert to enter the local certificate request page.

459

Figure 488 Local certificate request page

4.

Configure the parameters as described in

Table 151 .

Table 151 Configuration items

Item Description

Domain Name Select the PKI domain for the certificate.

Password Enter the password for certificate revocation.

Enable Offline Mode

Click this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.

5.

Click Apply.

If you request the certificate in online mode, the system displays "Certificate request has been submitted." Click OK. If you request the certificate in offline mode, the system displays the offline certificate request information. You can submit the information to the CA by an out-of-band means.

Figure 489 Offline certificate request information page

Retrieving and displaying a CRL

1.

2.

Select Authentication > Certificate Management from the navigation tree.

Click the CRL tab.

460

Figure 490 CRL page

3.

4.

Click Retrieve CRL to retrieve the CRL of a domain.

Click View CRL for the domain to display the contents of the CRL.

Figure 491 CRL information

Certificate management configuration example

Network requirements

As shown in

Figure 492

, configure the AC as the PKI entity, so that:

•

The AC submits a local certificate request to the CA server, which runs the RSA Keon software.

• The AC acquires CRLs for certificate verification.

461

Figure 492 Network diagram

Configuring the CA server

1.

2.

3.

Create a CA server named myca.

In this example, you must first configure the basic attributes of Nickname and Subject DN on the

CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country

(C). Leave the default values of the other attributes.

Configure extended attributes.

After you configure the basic attributes, perform configuration on the Jurisdiction Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.

Configure the CRL publishing behavior

After you complete the previous configuration, perform CRL related configurations.

In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.

After this configuration, make sure that the system clock of the AC is synchronous to that of the CA, so that the AC can request certificates and retrieve CRLs properly.

Configuring the AC

1.

Create a PKI entity. a.

Select Authentication > Certificate Management from the navigation tree. b.

The PKI entity list page is displayed by default.

Click Add. c. d. e.

Enter aaa as the PKI entity name.

Enter ac as the common name.

Click Apply.

462

Figure 493 Configuring a PKI entity

2.

Create a PKI domain. a.

Click the Domain tab. b. c. d.

Click Add.

Enter torsa as the PKI domain name.

Enter myca as the CA identifier. e. f. g. h.

Select aaa as the local entity.

Select CA as the authority for certificate request.

Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.

Select Manual as the certificate request mode. i. j. k.

Click the expansion button before Advanced Configuration to display the advanced configuration items.

Click the Enable CRL Checking box.

Enter http://4.4.4.133:447/myca.crl as the CRL URL.

Click Apply. l.

The system displays "Fingerprint of the root certificate not specified. No root certificate validation will occur. Continue?" m.

Click OK.

463

Figure 494 Configuring a PKI domain

3.

Generate an RSA key pair. a.

Click the Certificate tab. b.

Click Create Key to enter the page. c. d.

Enter 1024 for the key length.

Click Apply to generate an RSA key pair.

Figure 495 Generating an RSA key pair

4.

Retrieve the CA certificate. a. b.

Click the Certificate tab.

Click Retrieve Cert. c. d.

Select torsa as the PKI domain.

Select CA as the certificate type.

464

e.

Click Apply.

Figure 496 Retrieving the CA certificate

5.

Request a local certificate. a.

Click the Certificate tab. b. c. d. e. f.

Click Request Cert.

Select torsa for the PKI domain.

Select Password and then enter challenge-word as the password.

Click Apply.

The system displays "Certificate request has been submitted".

Click OK.

Figure 497 Requesting a local certificate

6.

Retrieve the CRL. a.

Click the CRL tab. b.

Click Retrieve CRL of the PKI domain of torsa.

Figure 498 Retrieving the CRL

465

Verifying the configuration

After the configuration, you can select Certificate Management > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Certificate

Management > CRL from the navigation tree to view detailed information about the retrieved CRL.

Configuration guidelines

When you configure PKI, note the following guidelines:

• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal.

•

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the

PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.

•

The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need to specify RA as the authority for certificate request when you configure the PKI domain.

• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you need to specify CA as the authority for certificate request when you configure the PKI domain.

466