IPSEC authentication with CA

Answered Question
Sep 14th, 2009

Hi,

While configuring IPSEC authentication with CA. We are required to install two certificates on ASA - Identity certificate and CA certificate. I actually could not understand these tow certificate concept.

Please share the experience any link on explanation / URL is highly appreciable.

Attaching here the Cisco document which we are refering for configuration.

( This document shows installation of these two - Identity and CA certificate.)

Thanks in advance.

Subodh

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 2 months ago

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 09/14/2009 - 08:40

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

bapatsubodh Mon, 09/14/2009 - 09:41

Hi,

Thanks Jon Marshall for your reply. I guess, have understood the concept ( i guess so). I am trying to have parallel : when we browse any https website ( say for amazon,ebay etc ) we receive a certificate from that website on our PC. Which is from well known certifying aithority ( verisign ). In next step we already have verisign Public key ( certificate ) with our browser , which is used to check the received certificates authenticity ( amazon, ebay ). In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website.

Thanks again

subodh

Jon Marshall Mon, 09/14/2009 - 10:41

Subodh

"In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website."

Spot on, you have understood the concept correctly.

Jon

Actions

This Discussion