CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top
level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate
ed by the CA at the next higher level.
CRL
umbers of all revoked certificates and provide an
egrade network performance, and it uses CRL distribution points to indicate
s.
CA polic
tity,
make sure that you understand the CA policy before selecting a trusted CA for certificate request.
Architecture of PKI
consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in
sign
An existing certificate may need to be revoked when, for example, the user name changes, the private
key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public
key with the user identity information. In PKI, the revocation is made through certificate revocation lists
(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates
that have been revoked. The CRLs contain the serial n
effective way for checking the validity of certificates.
A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing
them in a single CRL may d
the URLs of these CRL
y
A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking
certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice
statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and
e-mail. As different CAs may use different methods to check the binding of a public key with an en
A PKI system
Figure 73-1
.
Figure 73-1
PKI architecture
E
rvices, such as a person, an organization, a device like a
switch, or a process running on a computer.
ntity
An entity is an end user of PKI products or se
73-2