VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Manuale Utente Scaricare il pdf (Pagina 5)

TLS Implementation for VCM

TECHNICAL WHITE PAPER / 5

Certificates and Public Key Infrastructure

A Public Key Infrastructure, or PKI, is a management system that aids in the administration and distribution of public

keys and certificates. TLS can use certificates managed by a public key infrastructure to guarantee the identity of

servers and clients. Certificates can be created, managed and used by TLS without a PKI. For more information about

manually creating certificates, see Creating Certificates for TLS Using Makecert on page 20.

There are two main types of encryption algorithms:

Single Key, symmetric, or secret key encryption algorithms use a single key, which must be kept secret.

Public Key, or asymmetric algorithms use a pair of keys. One key is used to encrypt information, the other to

decrypt. The process is reversible. Either key can be used to encrypt. The other must be used to decrypt. Asym-

metric encryption is much slower than symmetric encryption. It is common to use an asymmetric protocol to

securely negotiate a session key, which is a secret key used only for the duration of a single connection. The

public key in a key pair may be freely passed around. However, it is important to verify that you have the key

you think you have, and that it belongs to the entity you think it belongs to. Certificates are a mechanism for

making this identification.

A certificate is a package containing a public key, information identifying the owner or source of the key, and one or

more certifications (or signatures) verifying that the package is authentic.

To sign a certificate, an issuer adds information about itself to the information already in a certificate request. The

public key and identifying information are hashed and signed using the private key of the issuer's certificate.

If you have the public key of the issuer, you can verify that the public key in the certificate belongs to the entity

identified in the certificate (if you trust the issuer). You will have a certificate for the issuer with the same type of

information. The issuer’s certificate is, in turn, signed by another issuer. This is called a certification path, or trust

chain. The path ends when you arrive at a certificate that is issued/signed by itself, or when one of the certificates is

explicitly trusted. The path is trusted if it ends in a trusted certificate. Typically, this means that someone has installed

the certificate in a trusted certificate store.

Expiration and Revocation

Keys and certificates are not designed to be used permanently. Keys can be compromised and circumstances can

change. Certificates are created with a certain period of validity, before and after which they should not be used or

trusted. If any certificate expires (the "valid-to"/"not after" date passes without renewing or replacing the certificate),

then it cannot be used to establish a TLS session.

In addition, certificates can be revoked before they expire to indicate the withdrawal of trust. The issuing authority may

make a certificate revocation list (CRL) available as additional validation for certificates it has issued. Any certificates

in the list should not be trusted.

To view your VCM certificates at any time in the VCM Portal, click Administration | Certificates. The data grid

displays your certificates and related information and expiration dates.

For information on how to renew or replace your certificates, see Changing Certificates on page 13.

1 2 3 4 5 6 7 8 9 10 ... 33 34

Nessun commento

VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Manuale Utente Pagina 5