You are here: Webhelp > Authentication > PKI


PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI is designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repudiation of data transmitted over the Internet. The certificate of PKI is managed by a public key by binding the public key with a respective user identity by a trusted third-party, thus authenticating the user over the Internet. A PKI system consists of Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and related PKI storage library.

PKI terminology:

  • Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key. The public key is widely distributed, while the private key is only known to the recipient. The two keys in the key pair complement each other, and the data encrypted by one key can only be decrypted by the other key of the key pair.
  • CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts requests for certificates and verifies the information provided by the applicants based on certificate management policy. If the information is legal, CA will sign the certificates with its private key and issue them to the applicants.
  • RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and CRL issued by CA to directory servers in order to provide directory browsing and query services.
  • CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of expiration due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL to announce the certificate is invalid, and list the series number of the invalid certificate.

PKI is used in the following two situations:

  • IKE VPN: PKI can be used by IKE VPN tunnel.
  • HTTPS/SSH: PKI applies to the situation where a user accesses a Hillstone device over HTTPS or SSH.
  • Sandbox: Support the verification for the trust certification of PE files.

Creating a PKI Key

  1. Select System > PKI > Key.
  2. Click New.
  3. Click OK.

Creating a Trust Domain

  1. Select System > PKI > Trust Domain.
  2. Click New.

  1. Click Apply Certificate, and a string of code will appear.
  2. Copy this code and send it to CA via email.
  3. When you receive the certificate sent from CA. Click Browse to import the certificate.
  4. Click OK.

Importing/Exporting Trust Domain

To simplify configurations, you can export certificates (CA or local) and private key (in the format of PKSC12) to a computer and import them to another device.

To export a PKI trust domain, take the following steps:

  1. Select System > PKI > Trust Domain Certificate.
  2. Select a domain from drop-down menu.
  3. Select the radio button of the item you want to export, and click Export.
    If you choose PKCS, you need to set up password.
  4. Click OK, and select a storage path to save the item.

To import the saved trust domain to another device, take the following steps:

  1. Log in the other device, select System > PKI > Trust Domain Certificate.
  2. Select a domain from drop-down menu.
  3. Select the radio button of the item you want to import, and click Import.
    If you choose PKCS, you need to enter the password when it was exported.
  4. Click Browse and find the file to import.
  5. Click OK. The domain file is imported.

Importing Trust Certification

System will not detect the PE file whose certification is trusted. To import trust certification of PE files, take the following steps:

  1. Select System > PKI > Trusted Root Certificate.
  2. Click Import and choose a certificate file in your PC.
  3. Click OK and then the file will be imported.