Principle of digital certificate PKI

Before using any RSA-based service, an entity needs to truly and reliably obtain the public keys of other entities. The following guarantees are required.

PKI (Public Key Infrastructure) is a system using public key technology and digital certificate providing system information security service, which is responsible for verifying the identity of digital certificate holders. PKI technology is the core of information security technology and the key and basic technology of e-commerce. PKI ensures the privacy, integrity, non-repudiation and source authentication of communication data.

IPSec authentication (pre-* * key sharing method):

IPSec authentication (certificate authentication method in PIK):

Digital certificate:

A Digital certificate (certificate for short) is a file digitally signed by a CA, which contains the owner's public key and related identity information. Digital certificate technology solves the problem that the public key cannot be determined as the designated owner in digital signature technology.

Certificate structure:

The simplest certificate contains a public key, a name and the digital signature of the certification authority. Generally speaking, the certificate also includes the validity period of the key, the name of the issuer (certificate authority), the serial number of the certificate and other information. The structure of the certificate follows the specifications of X.509v3, as follows:

Description of each field of the certificate:

Certificate type

Certificate format

Introduction to CA

Ca (Certificate Authority (CA)). CA is the trust foundation of PKI and the trusted entity that issues and manages digital certificates. It is an authoritative, credible, willful and impartial third-party organization, usually provided by a server, such as Windows Server 2008.

CA usually adopts multi-level hierarchical structure, which is divided into root CA and subordinate CA according to the level of certification authority.

The core function of CA is to issue and manage digital certificates, including certificate issuance, certificate renewal, certificate revocation, certificate inquiry, certificate filing, certificate revocation list (CRL) publishing, etc.

About the characteristics of CA:

CA certificate issuing process

The process of digital certificate verification

Figure 1

Figure 2

Figure 3

Certificate application process

Certificate application method

Certificates are mainly applied in the following ways:

Certificate revocation method

Certificates have a specified lifetime, but CA can shorten this lifetime through a process called certificate revocation. CA publishes a certificate revocation list (CRL), which lists the serial numbers of certificates that are considered no longer available. The lifetime specified by CRL is usually much shorter than that specified by certificate. CA can also add the reason for certificate revocation in CRL. It can also add a start date that is considered applicable to this status change.

You can specify the following as the reason for revoking the certificate:

1. experimental topology

2. Experimental requirements

3.IP address planning

4. Experimental steps

Step 1: IP address and route configuration

Step 2: Configure the clock of the CA server. Site_ 1 and Site_2 are synchronized with CA. And ensure the clock synchronization of Site_ 1 and Site_2.

Step 3: Deploy the Certificate Server

Step 4: Site _ 1 apply for a certificate from the certificate server.

Step 5: Site 2 obtains the certificate.

Step 5: Deploy the basic site-to-site IPsec VPN configuration.

Step 6: Test VPN connectivity.