While configuring IPSEC authentication with CA. We are required to install two certificates on ASA - Identity certificate and CA certificate. I actually could not understand these tow certificate concept.
Please share the experience any link on explanation / URL is highly appreciable.
Attaching here the Cisco document which we are refering for configuration.
( This document shows installation of these two - Identity and CA certificate.)
Thanks in advance.
The 2 certificates are doing different things -
1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.
2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.
The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.
Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.