Network Security Fundamentals [Electronic resources] نسخه متنی

Enrollment Procedure

PKI enrollment is the procedure of adding a PKI user to the PKI. A PKI user can be a person, a router, a firewall, or any entity that will be a future certificate holder. The certificate enrollment procedure involves three steps:

The enrollment procedure is the initial step of key exchange between a user and the PKI server. This procedure can be performed over an untrusted network if the necessary precautions are used. To mitigate the risk of interception on an untrusted network, two out-of-band authentication procedures are required:

• Verification by the user that the correct CA certificate is received

• Verification by the CA that it has received the correct enrollment information from the user

To verify that the user receives the correct certificate, the user calculates a local hash of the received information. This hash is compared to the true CA certificate fingerprint that was obtained over the phone or through another secure channel. If the hash and fingerprint match, the user knows that the correct information was received from the CA. The CA performs the same procedure with the information it receives from the user. The CA also creates a local hash and verifies it via a secure channel with the user's hash. If they match, the CA has received an unmodified enrollment request.

Various enrollment protocols are used today:

• File-based requests
  The end user formats the enrollment request in the form of a PKCS #10 message in a file. This file is transferred to the CA, which signs the information and returns a PKCS #10 response file with the embedded certificate.

• Web-based requests
  This protocol runs over the HTTP protocol and is used by web browsers.

• Simple Certificate Enrollment Protocol (SCEP)
  This is a lightweight, HTTP-based protocol for enrollment of VPN devices.