Solved: IPSEC authentication with CA

bapatsubodh · ‎09-14-2009

Hi,

While configuring IPSEC authentication with CA. We are required to install two certificates on ASA - Identity certificate and CA certificate. I actually could not understand these tow certificate concept.

Please share the experience any link on explanation / URL is highly appreciable.

Attaching here the Cisco document which we are refering for configuration.

( This document shows installation of these two - Identity and CA certificate.)

Thanks in advance.

Subodh

Jon Marshall · ‎09-14-2009

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

View solution in original post

Jon Marshall · ‎09-14-2009

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

bapatsubodh · ‎09-14-2009

Hi,

Thanks Jon Marshall for your reply. I guess, have understood the concept ( i guess so). I am trying to have parallel : when we browse any https website ( say for amazon,ebay etc ) we receive a certificate from that website on our PC. Which is from well known certifying aithority ( verisign ). In next step we already have verisign Public key ( certificate ) with our browser , which is used to check the received certificates authenticity ( amazon, ebay ). In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website.

Thanks again

subodh

Jon Marshall · ‎09-14-2009

Subodh

"In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website."

Spot on, you have understood the concept correctly.

Jon