Understanding Public Key Infrastructure
Public key infrastructure (PKI) refers to the hierarchical structure of trust required for the successful implementation of public key cryptography. To verify the trustworthiness of a certificate, you must be able to track a path of certified certificate authorities (CAs) from the one issuing your local certificate to the root authority of a CA domain. See Figure 48.
This topic includes the following sections:
PKI Hierarchy for a Single CA Domain or Across Domains
Figure 48 shows the structure of a single-domain certificate authority.
Figure 48: PKI Hierarchy of Trust—CA Domain
If certificates are used solely within an organization, that organization can have its own CA domain within which a company CA issues and validates certificates for its employees. If that organization later wants its employees to exchange their certificates with certificates from another CA domain (for example, with employees at another organization that has its own CA domain), the two CAs can develop cross-certification by agreeing to trust the authority of each other. In this case, the PKI structure does not extend vertically but does extend horizontally. See Figure 49.
Figure 49: Cross-Certification
PKI Management and Implementation
For convenience and practicality, PKI must be transparently managed and implemented. Toward this goal, JUNOS Software supports the following features:
- Generates a public-private key pair.
- Loads multiple local certificates from different CAs.
- Delivers a certificate when establishing an IPsec tunnel.
- Validates a certificate path upward through eight levels of CA authorities in the PKI hierarchy.
- Supports the Public-Key Cryptography Standards #7 (PKCS
#7) cryptographic . As a result, the device can accept X.509 certificates
and certificate revocation lists (CRLs) packaged within a PKCS #7
envelope.
Note: JUNOS Software supports a PKCS #7 file size of up to 7 KB.
- Retrieves CRLs online retrieval through Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP).
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding Public Key Cryptography
- Understanding Certificates
- Understanding Certificate Revocation Lists
- Understanding Self-Signed Certificates