125Configuring PKIOverviewPublic Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securingnetwork services. Data encrypted with the public key can be decrypted only with the private key. Likewise,data encrypted with the private key can be decrypted only with the public key.PKI uses digital certificates to distribute and employ public keys, and provides network communicationand e-commerce with security services such as user authentication, data confidentiality, and dataintegrity.H3C's PKI system provides certificate management for IPsec and SSL.PKI terminologyDigital certificateA digital certificate is a document signed by a certificate authority (CA). It includes the issuer name (thename of the CA), the subject name (name of the individual or group to which the certificate is issued), theidentity information of the subject, the subject's public key, the signature by the CA, and the period ofvalidity. The CA's signature ensures the validity and authority of the certificate. A digital certificate bindsa public key to its owner.A digital certificate must comply with the international standards of ITU-T X.509, of which X.509 v3 iscommon.This chapter covers the following types of certificates:• CA certificate—Certificate of a CA. Multiple CAs in a PKI system form a CA tree with the root CAat the top level. The root CA issues a CA certificate for itself, and each lower level CA holds a CAcertificate issued by the CA one level above it. The certificate of the root CA, the certificates ofintermediate CAs, and the end certificate build a certificate chain. The certificate chain establishesa chain of trust.• Registration authority (RA) certificate—Certificate issued by a CA for an RA. RAs are trusted byCAs to accept requests for enrollment in a PKI system, and they are optional in a PKI system.• Local certificate—Digital certificate issued by a CA for the local entity.• Peer certificate—Digital certificate issued by a CA for a peer entity.Certificate revocation listA certificate revocation list (CRL) is a list of revoked certificates, and is created and signed by a givenCA.A certificate must be revoked when, for example, the username changes, the private key is compromised,or the user is no longer certified by the CA. The CA periodically publishes a CRL that contains the serialnumbers of all revoked certificates. CRLs provide an effective way for verifying the validity of certificates.