Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

PKI Overview

Learn about PKI, PKI support in Junos OS, and understand the benefits of PKI.

Introduction to PKI

Public key infrastructure (PKI) provides a way of verifying the identity of a remote site by using a digital certificate. PKI uses a certificate authority (CA) to validate your information and to sign it with a digital signature such that neither your information nor the signature can be modified. Once signed, the information becomes a digital certificate. Devices that receive a digital certificate can verify the information in the certificate by validating the signature using public key cryptography.

The PKI provides an infrastructure for digital certificate management and consists of:

  • Registration Authority (RA) that verifies the identities of entities, authorizes their certificate requests, and generates unique asymmetric key pairs (unless the users’ certificate requests already contain public keys)

  • Certificate Authority (CA) that issues corresponding digital certificates for the requesting entities.

  • A certificate revocation list (CRL) identifying the certificates that are no longer valid. Each entity possessing the authentic public key of a CA can verify the certificates issued by that CA.

How PKI Works

PKI supports the distribution and identification of public encryption keys, enabling users to both securely exchange data over networks such as the Internet and verify the identity of the other party.

Figure 1 shows how the authentication happens between two users using the public and private key .

Figure 1: Public Key Infrastructure Public Key Infrastructure
Table 1: Public Key Infrastructure

PKI Key Components

Description

Certificate Authority (CA)

A trusted third-party organization that creates, enrolls, validates, and revokes digital certificates. The CA guarantees a user’s identity and issues public and private keys for message encryption and decryption.

Registration Authority (RA)

Verifies the identities of entities, authorizes their certificate requests, and generates unique asymmetric key pairs unless the users’ certificate requests already contain public keys.

Digital Certificates

These are electronic documents that contain information about the entity to which they are issued, such as a VPN gateway. They are signed by the CA to ensure their authenticity and integrity.

Public and Private Keys

A pair of keys used in public key cryptography. The public key is used for encryption, while the private key is used for decryption. These keys are generated simultaneously and are linked mathematically.

Certificate Life Cycle Management

This includes phases such as generation of public/private keys and identity information, enrollment (request and retrieval), usage within Internet Key Exchange (IKE), certificate validation and revocation checks, and certificate renewal.

IKE and PKI

During IKE Phase 1 setup, a certificate can identify the peer by IP address, fully qualified domain name (FQDN), user fully qualified domain name (U-FQDN), or distinguished name (DN). The IKE ID is added into the SubjectAlternativeName field of the certificate.

Benefits of PKI

  • Enhanced Security: PKI provides robust security by using asymmetric cryptography, which is more secure than symmetric cryptography. The use of public and private keys ensures that data encrypted with a public key can only be decrypted with the corresponding private key.
  • Trust Hierarchy: PKI establishes a trust hierarchy through the use of Certificate Authorities (CAs), Registration Authorities (RAs), and Certificate Repositories. This hierarchy ensures that all entities within the network trust each other based on their certificates and the CA that issued them.
  • Data Integrity: Digital certificates issued by PKI ensure the integrity of data by providing a way to verify the authenticity of the sender and the data itself. This prevents tampering or alteration of data during transmission.
  • Scalability: PKI is scalable and can be used in large networks with multiple entities. It supports various standards like X.509 and Public Key Cryptography Standards (PKCS), making it versatile and adaptable to different network configurations.
  • Ease of Management: While setting up a PKI requires some initial configuration, it simplifies the management of digital certificates and keys. This makes it easier to manage and maintain secure connections across the network.