cisco hyperflex book

cisco hyperflex book.6.3PKI Cornerstone Out of Knowledge 313 to authenticate each other's identities. The reason is that the two devices already have the CA's public key and do not need to "contact" the CA directly to verify each other's signatures in the ID book. So, this poses a problem: in the case that the CA has revoked the certificate of one device (device A), the two devices do not authenticate each other through the CA, so how does device B know if the certificate of device A has just been revoked? The answer is simple: let all devices check and know about the revocation of the certificate. The digital certificate contains information about the renewed list of revoked certificates, from which the device can retrieve the relevant information. This information is a URL, either to the CA server itself or to some other public resource on the Internet±. Revoked certificates are listed according to their serial numbers, and the device performs this check before completing authentication with the other party, as long as the device is configured to check for revoked certificates./If the device checks the certificate revocation list (CRL) and finds that the other party's certificate appears in that list, the authenticationThe authentication is terminated here. The following are the 3 basic methods for checking whether a certificate has been revoked (in order of popularity).Certificate Revocation List (CRL): is a list of certificates sorted by their serial numbers. The certificates in this list were originally issued by the CA but have since been revoked by it and therefore should not be trusted certificates. The size of the CRL can be so large that the client must query the entire list to verify that a specific certificate is in the list. Think of CRLs as a list of naughty people. In contrast to OSCP and AAA, CRL is a protocol dedicated to querying for revoked digital certificates. CRLs can be accessed through a variety of protocols, including LDAP and HTTP.OnlineCertificateStatusProtocol (OCSP): is an alternative to CRL. With this protocol, the client simply sends a request for the status of the certificate and gets a response without being informed of the full list of revoked certificates.Authentication, Authorization and Accounting (AAA): The CiscoAAA service also supports the ability to verify digital certificates, which can be used to check whether a certificate has been revoked. Because this is a private solution, it is not commonly used within PKI.6.3.9 Using Digital Certificates Digital certificates can be used for a variety of purposes. A digital certificate allows a client to authenticate the identity of a web server to be connected via HTTP Secure (HTTPS), Transport Layer Security (TLS) or Secure Socket Layer (SSL). For the average user, who does not have to develop these protocols but simply uses them to benefit from them, the security benefits of HTTP combined with TLS/SSL are virtually the same. This means that users can use digital certificates when accessing the bank's website for Internet banking on their own PCs. It also means that digital certificates can be used to authenticate VPN peers whenever SSL technology is applied to remote access VPNs. Digital certificates can be paired with the IPSec family of protocols to use them in the authentication phase of IPSec. Digital certificates can also be paired with protocols such as 802.1X, which require users to authenticate at the network boundary before sending packets/data frames. An example of this is wireless networks, where access is controlled and authentication is required before a PC/user is granted access to the network, at which point a digital certificate can be used.314 Chapter 6 Cryptography and Public Key Infrastructure (PKI) Basics6.3.10 Topology of PKIThere is no one-size-fits-all solution for PKI. A single CA server may be sufficient for a small network, but for a network with 30,000 devices, a single server may not provide the necessary availability and redundancy. For this reason, it is necessary to look at various topologies (both single and hierarchical) according to . There are various ways to implement PKI according to various topologies (both single and hierarchical). Let's start with single CAs and then gradually expand on them.