PKI

PKI Overview

A Public Key Infrastructure (PKI) is a set of software, data, and procedures for creating and managing public key certificates. Certificates are pieces of data that identifies a person, client computer, server computer or other entity, using generated public-private encryption key pairs. The pairs are mathematically related such that data encrypted using one of the pair can only be decrypted by the other. Public keys are embedded in distributed certificates while the private keys are kept confidential by the endpoints. Endpoints prove their identity by encrypting data with their private key, which is verified using the certificate's public key.

A3 provides a complete PKI that can be used for all types of certificate generation tasks. The process is broken down into four steps:

• Certificate Authorities - are the parties that sign certificates. Signing is process by which the data in an endpoint's certificate is combined with the Certificate Authority's (CA) public key. This allows a party receiving the endpoint's certificate to validate that the certificate was generated by a party that they trust. If EAP-TLS authentication is to be used in A3, CAs generated in this step must be copied into the RADIUS section of SSL Certificates so that A3 will trust endpoint certificates generated by the CA. See the Note below concerning trusted CAs.
• Templates - define the type of information to be include in generated certificates.
• Certificates - generated endpoint certificates using defined CAs and templates.
• Revoked Certificates - a list of revoked certificate. During the certificate validation process parties that receive endpoint certificates check with the CA that signed the certificate to determine whether the certificate has been revoked.

Note

The CAs generated by A3's PKI are not publicly trusted CAs. They are intended for use only within an organization. Publicly trusted certificates can be generated using A3's SSL Certificates interface.