|
Table Of Contents
Configuring Keys and Certificates
PKI Overview
The following topics provide an overview of the public-key infrastructure (PKI):
• Configuring Keys and Certificates
Public Key Infrastructure
PKI is a system that manages encryption keys and identity information for the human and mechanical components of a network that participate in secured communications.
The SSL Services Module uses the SSL protocol to enable secure transactions of data through privacy, authentication, and data integrity; the protocol relies upon certificates, public keys, and private keys.
The certificates, which are issued by certification authorities and are similar to digital ID cards, verify the identity of the server to the clients and the clients to the server. The certificates include the name of the entity to which the certificate was issued, the entity's public key, and the time stamp that indicates the certificate's expiration date.
Public and private keys are the ciphers that are used to encrypt and decrypt information. The public key is shared without any restrictions, but the private key is never shared. Each public-private key pair works together; data that is encrypted with the public key can only be decrypted with the corresponding private key.
Configuring Keys and Certificates
You can configure keys and certificates using one of the following methods:
•If you are using Simple Certificate Enrollment Protocol (SCEP), configure the keys and certificates by doing the following:
1. Generate a key pair.
2. Declare the trustpoint.
3. Get the certificate authority certificate.
4. Send an enrollment request to a certificate authority on behalf of the SSL server.
See the "Understanding Wizards" section for details.
•If you are not using SCEP, configure the keys and certificates using the manual certificate enrollment (TFTP and cut-and-paste) feature by doing the following:
1. Generate or import a key pair.
2. Declare the trustpoint.
3. Get the certificate authority certificate and enroll the trustpoint using TFTP or cut-and-paste to create a PKCS10 file.
4. Request the SSL server certificate offline using the PKCS10 package.
5. Import the SSL server certificate using TFTP or cut-and-paste.
See the "Understanding Wizards" section for details.
•If you are using an external PKI system, do the following:
1. Generate PKCS12 or privacy enhanced mail (PEM) files.
2. Import this file to the module.
See the "Understanding Wizards" section for details.
An external PKI system is a server or a PKI administration system that generates key pairs and enrolls for certificates from a certificate authority or a key and certificate archival system. The Public-Key Cryptography Standards (PKCS) specify the transfer syntax for personal identity information, including the private keys and certificates. This information is packaged into an encrypted file. To open the encrypted file, you must know a pass phrase. The encryption key is derived from the pass phrase.
Posted: Fri Apr 15 01:27:36 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.