PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI is designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repudiation of data transmitted over the Internet. The certificate of PKI is managed by a public key by binding the public key with a respective user identity by a trusted third-party, thus authenticating the user over the Internet. A PKI system consists of Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and related PKI storage library.
Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key. The public key is widely distributed, while the private key is only known to the recipient. The two keys in the key pair complement each other, and the data encrypted by one key can only be decrypted by the other key of the key pair.
CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts requests for certificates and verifies the information provided by the applicants based on certificate management policy. If the information is legal, CA will sign the certificates with its private key and issue them to the applicants.
RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and CRL issued by CA to directory servers in order to provide directory browsing and query services.
CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of expiration due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL to announce the certificate is invalid, and list the series number of the invalid certificate.
PKI is used in the following two situations:
- IKE VPN: PKI can be used by IKE VPN tunnel.
- HTTPS/SSH: PKI applies to the situation where a user accesses a Hillstone device over HTTPS or SSH.
- Sandbox: Support the verification for the trust certification of PE files.
Creating a PKI Key
- Select System > PKI > Key.
- Click New.In the PKI Key Configuration dialog, configure the following.
Option Description Label Specifies the name of the PKI key. The name must be unique. Key configuration mode Specifies the generation mode of keys, which includes Generate and Import. Generate Key Pair Type Specifies the type of key pair, either RSA ,DSA or SM2. Key Modulus Specifies the modulus of the key pair. The modulus of RSA and DSA is 1024 (the default value), 2048, 512 or 768 bits , and the modulus of SM2 is 256. Import Type
Specifies the type of key
, including Encryption Key and Key Pair.
- Encryption Key - Protects the signing key pair by digital envelope. If you select this option, you should specify the signing key pair when importing key.
- Key Pair - If you select this option, you should specify the imported key pair type as RSA
,DSA or SM2. Import Key Browse your local file system and import the key file.
- Click OK.
Creating a Trust Domain
- Select System > PKI > Trust Domain.
- Click New.In the Basic Configuration tab, configure values for basic properties.
Option Description Basic Trust Domain Enter the name of the new trust domain. Enrollment Type
Use one of the two following methods:
- Select Manual Input, and click Browse to find the certificate and click Import to import it into system.
- Select Self-signed Certificate, and the certificate will be generated by the device itself.
Key Pair Select a key pair. Subject Name Enter a name of the subject. Country (Region) Enter the name of applicant's country or region. Only an abbreviation of two letters are allowed, like CN. Location Optional. The location of the applicant. State/Province Optional. State or province name. Organization Optional. Organization name. Organization Unit Optional. Department name within applicant's organization.
- Click Apply Certificate, and a string of code will appear.
- Copy this code and send it to CA via email.
- When you receive the certificate sent from CA. Click Browse to import the certificate.
(Optional) In the CRL tab, configure the following.
Certification Revocation List Check
- No Check - System does not check CRL. This is the default option.
- Optional - System accepts certificating from peer, no matter if CRL is available or not.
- Force - System only accepts certificating from peer when CRL is available.
The URL address for receiving CRL. At most 3 URLs are allowed, and their priority is from 1 to 3.
- Select http:// if you want to get CRL via HTTP.
- Select ldap:// if you want to get CRL via LDAP.
- If you use LDAP to receive CRL, you need to enter the login-DN of LDAP server and password. If no login-DN or password is added, the transmission will be anonymous.
Auto Update Update frequency of CRL list. Manually Update Get the CRL immediately by clicking Obtain CRL.
- Click OK.
Importing/Exporting Trust Domain
To simplify configurations, you can export certificates (CA or local) and private key (in the format of PKSC12) to a computer and import them to another device.
To export a PKI trust domain, take the following steps:
- Select System > PKI > Trust Domain Certificate.
- Select a domain from drop-down menu.
- Select the radio button of the item you want to export, and click Export.
If you choose PKCS, you need to set up password.
- Click OK, and select a storage path to save the item.
To import the saved trust domain to another device, take the following steps:
- Log in the other device, select System > PKI > Trust Domain Certificate.
- Select a domain from drop-down menu.
- Select the radio button of the item you want to import, and click Import.
If you choose PKCS, you need to enter the password when it was exported.
- Click Browse and find the file to import.
- Click OK. The domain file is imported.
Importing Trust Certification
System will not detect the PE file whose certification is trusted. To import trust certification of PE files, take the following steps:
- Select System > PKI > Trusted Root Certificate.
- Click Import and choose a certificate file in your PC.
- Click OK and then the file will be imported.