Endpoint Entities: Users and Devices

Some more popular uses are authentication toward an IT system (×××, web server, and so on), digital signature of emails, and content encryption.

The certificate itself is public information; however, the associated key pair (more specifically the private key) is secret information because it is the one used to generate cryptographic content linked to the certificate.证书它本身是公共信息。然而它关联着密钥对,尤其是实体的私钥

Users Versus Devices
Although digital certificates for devices or human users are technically identical, their storage and usages can differ. A device “acts as configured” when performing certification validation steps. However for users, the human factor plays a non-negligible part. Few people actually read all certificate warnings displayed by web browsers when navigating through the web. This unfortunately typical behavior means users click Accept independently of the message presented, defeating the security mechanisms of PKI. An expired, unknown, or changed certificate should catch your attention that something is not “as expected.” With your PKI knowledge and understanding, a more detailed look at the error or the certificate can clarify what’s actually happening, and the system administrator should be, at a minimum, notified.

虽然在技术上是相同的设备或人类用户的数字证书,其存储和用法可以不同。设备“作为配置”时,执行证书验证步骤。但对于用户而言,人的因素起着不可忽略的一部分。通过Web浏览时,很少有人真正阅读的所有证书由Web浏览器显示的警告。这个不幸的是典型的行为是指用户点击接受独立提交的消息,击败PKI的安全机制。一个过期的,未知的,或改变证书应抓住你的注意力的东西是不是“作为预计,”随着您的PKI知识和理解,一个错误的更详细的外观或证书可以澄清什么是实际发生的,和系统管理员应在最低限度,通知。

—————————————————————————————————————————————

how to get a certificate, how to keep a certificate that is current, how to revoke a certificate, and how to keep a PKI up and running if an outage occurs.

Enrollment is the process to obtain a certificate. The two process of enrollment are manual enrollment and a network SCEP-based enrollment. 获得证书,注册是一个过程。而注册通常有两种方式,一种是手工注册,一种是使用SCEP。SCEP主要基于网络设备。客户机是使用手工注册。他们两个原理是一样的

■ An end host generates an RSA (Rivest, Shamir and Adleman) key pair. 实体产生一个自签名的密钥对
■ A certificate request containing the end host’s public key is delivered to a certificate authority (CA).证书的请求里必须包含实体的公钥并且要递交给CA
■ The CA signs the request with the CA’s private key and generates the end host’s certificate. CA将提交的信息用CA私钥签名,然后产生证书。数字签名做为证书的一部分
■ The certificate is delivered back to the end host.CA把证书递交给实体

————————————————————————————————————————————