09-14-2009 06:14 AM - edited 02-21-2020 04:19 PM
Hi,
While configuring IPSEC authentication with CA. We are required to install two certificates on ASA - Identity certificate and CA certificate. I actually could not understand these tow certificate concept.
Please share the experience any link on explanation / URL is highly appreciable.
Attaching here the Cisco document which we are refering for configuration.
( This document shows installation of these two - Identity and CA certificate.)
Thanks in advance.
Subodh
Solved! Go to Solution.
09-14-2009 08:40 AM
Subodh
The 2 certificates are doing different things -
1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.
2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.
The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.
Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.
Jon
09-14-2009 08:40 AM
Subodh
The 2 certificates are doing different things -
1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.
2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.
The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.
Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.
Jon
09-14-2009 09:41 AM
Hi,
Thanks Jon Marshall for your reply. I guess, have understood the concept ( i guess so). I am trying to have parallel : when we browse any https website ( say for amazon,ebay etc ) we receive a certificate from that website on our PC. Which is from well known certifying aithority ( verisign ). In next step we already have verisign Public key ( certificate ) with our browser , which is used to check the received certificates authenticity ( amazon, ebay ). In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website.
Thanks again
subodh
09-14-2009 10:41 AM
Subodh
"In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website."
Spot on, you have understood the concept correctly.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide