Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC authentication with CA

Hi,

While configuring IPSEC authentication with CA. We are required to install two certificates on ASA - Identity certificate and CA certificate. I actually could not understand these tow certificate concept.

Please share the experience any link on explanation / URL is highly appreciable.

Attaching here the Cisco document which we are refering for configuration.

( This document shows installation of these two - Identity and CA certificate.)

Thanks in advance.

Subodh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: IPSEC authentication with CA

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

3 REPLIES
Hall of Fame Super Blue

Re: IPSEC authentication with CA

Subodh

The 2 certificates are doing different things -

1) The identity certificate identifies the actual device. So when your firewall sets up a VPN with another firewall the identity certificate is what your firewall uses to identify itself.

2) The CA certificate is a certificate issued by a Certificate Authority (CA). This CA can be a public CA such as Versign or it can be your own internal CA.

The idea behind a CA is that someone must be able to say whether a certificate is valid or not. So when your firewall sends it's identity certificate to a 3rd party how does that thrid party know that the certificate sent is valid and is from your firewall. This is where the CA comes in.

Basically a public CA such as Versign act as an independent body that says whether or not identity certificates are valid. Obviously that means that all parties must trust Verisign. When the 3rd party firewall receives your identity certificate there will a certificate chain included which will point to Verisign. So the third party firewall can then "ask" Verisign if the certificate is okay or not.

Jon

New Member

Re: IPSEC authentication with CA

Hi,

Thanks Jon Marshall for your reply. I guess, have understood the concept ( i guess so). I am trying to have parallel : when we browse any https website ( say for amazon,ebay etc ) we receive a certificate from that website on our PC. Which is from well known certifying aithority ( verisign ). In next step we already have verisign Public key ( certificate ) with our browser , which is used to check the received certificates authenticity ( amazon, ebay ). In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website.

Thanks again

subodh

Hall of Fame Super Blue

Re: IPSEC authentication with CA

Subodh

"In nutshell there are two certificates one which we receive from webiste ( in our case other end of the IPSEC tunnel device ) and second which we procure from CA to check the certificate authenticty which we receive from other end device or website."

Spot on, you have understood the concept correctly.

Jon

282
Views
0
Helpful
3
Replies