Describing Public-Key Infrastructure (PKI)

CRL checking is not optional. CRLs are collected automatically by the XSR using information available in the IPSec and CA certificates it has already collected.

Two methods are available to perform this collection:

HTTP Get issues an HTTP-based request to collect the certificate.

LDAP issues URL requests to collect CRLs.

Most CAs can be configured to use either or both of these CRL retrieval mechanisms. The XSR automatically uses one method or the other based on information stored in the certificates.

CA Hierarchies

In large organizations, it may be advantageous to delegate the responsibility for issuing certificates to several different CAs. For example, the number of certificates required may be too large for a single CA to maintain; different organizational units may have different policy requirements; or it may be important for a CA to be physically located in the same geographic area as the people to whom it is issuing certificates.

It is also possible to delegate certificate-issuing responsibilities to subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs. As shown in Figure 14-3, the root CA is at the top of the hierarchy. The root CA's certificate is a self-signed certificate: that is, the certificate is digitally signed by the same entity - the root CA - that the certificate identifies.

Figure 14-3 Sample Hierarchy of CAs

 

Root CA

 

 

Asia CA

Europe CA

US CA

 

Subordinate CA

Subordinate CA

Subordinate CA

 

 

 

 

Certificate

 

 

 

issued by

Sales CA

Marketing CA

Admin CA

Admin CA

Subordinate CA

Subordinate CA

Subordinate CA

 

The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher- level subordinate CAs.

Certificate Chains

CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure 14-4shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure 14-4).

XSR User’s Guide 14-7

Page 328 Page 330
Page 329
Image 329
Enterasys Networks X-PeditionTM manual CA Hierarchies, Certificate Chains
Page 328 Page 330
Top Page Image Contents