Endpoint Entities: Users and Devices
Some more popular uses are authentication toward an IT system (***, web server, and so on), digital signature of emails, and content encryption.
The certificate itself is public information; however, the associated key pair (more specifically the private key) is secret information because it is the one used to generate cryptographic content linked to the certificate.證書它本身是公共信息。然而它關聯着密鑰對,尤其是實體的私鑰
Users Versus Devices
Although digital certificates for devices or human users are technically identical, their storage and usages can differ. A device “acts as configured” when performing certification validation steps. However for users, the human factor plays a non-negligible part. Few people actually read all certificate warnings displayed by web browsers when navigating through the web. This unfortunately typical behavior means users click Accept independently of the message presented, defeating the security mechanisms of PKI. An expired, unknown, or changed certificate should catch your attention that something is not “as expected.” With your PKI knowledge and understanding, a more detailed look at the error or the certificate can clarify what’s actually happening, and the system administrator should be, at a minimum, notified.
雖然在技術上是相同的設備或人類用戶的數字證書,其存儲和用法可以不同。設備“作爲配置”時,執行證書驗證步驟。但對於用戶而言,人的因素起着不可忽略的一部分。通過Web瀏覽時,很少有人真正閱讀的所有證書由Web瀏覽器顯示的警告。這個不幸的是典型的行爲是指用戶點擊接受獨立提交的消息,擊敗PKI的安全機制。一個過期的,未知的,或改變證書應抓住你的注意力的東西是不是“作爲預計,”隨着您的PKI知識和理解,一個錯誤的更詳細的外觀或證書可以澄清什麼是實際發生的,和系統管理員應在最低限度,通知。
—————————————————————————————————————————————
how to get a certificate, how to keep a certificate that is current, how to revoke a certificate, and how to keep a PKI up and running if an outage occurs.
Enrollment is the process to obtain a certificate. The two process of enrollment are manual enrollment and a network SCEP-based enrollment. 獲得證書,註冊是一個過程。而註冊通常有兩種方式,一種是手工註冊,一種是使用SCEP。SCEP主要基於網絡設備。客戶機是使用手工註冊。他們兩個原理是一樣的
■ An end host generates an RSA (Rivest, Shamir and Adleman) key pair. 實體產生一個自簽名的密鑰對
■ A certificate request containing the end host’s public key is delivered to a certificate authority (CA).證書的請求裏必須包含實體的公鑰並且要遞交給CA
■ The CA signs the request with the CA’s private key and generates the end host’s certificate. CA將提交的信息用CA私鑰簽名,然後產生證書。數字簽名做爲證書的一部分
■ The certificate is delivered back to the end host.CA把證書遞交給實體
————————————————————————————————————————————