41-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter41 Configuring Digital Certificates
Information About Digital Certificates
Public Key Cryptography
Digital signatures, enabled by public key cryptography, provide a way to authenticate devices and users.
In public key cryptography, such as the RSA encryption system, each user has a key pair containing both
a public and a private key. The keys act as complements, and anything encrypted with one of the keys
can be decrypted with the other.
In simple terms, a signature is formed when data is encrypted with a private key. The signature is
attached to the data and sent to the receiver. The receiver applies the public key of the sender to the data.
If the signature sent with the data matches the result of applying the public key to the data, the validity
of the message is established.
This process relies on the receiver having a copy of the public key of the sender and a high degree of
certainty that this key belongs to the sender, not to someone pretending to be the sender.
Obtaining the public key of a sender is normally handled externally or through an operation performed
at installation. For example, most web browsers are configured with the root certificates of several CAs
by default. For VPN, the IKE protocol, a component of IPsec, can use digital signatures to authenticate
peer devices before setting up security associations.
Certificate Scalability
Without digital certificates, you must manually configure each IPsec peer for each peer with which it
communicates; as a result, each new peer that you add to a network would require a configuration change
on each peer with which it needs to communicate securely.
When you use digital certificates, each peer is enrolled with a CA. When two peers try to communicate,
they exchange certificates and digitally sign data to authenticate each other. When a new peer is added
to the network, you enroll that peer with a CA and none of the other peers need modification. When the
new peer attempts an IPsec connection, certificates are automatically exchanged and the peer can be
authenticated.
With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and
performing some public key cryptography. Each peer sends its unique certificate, which was issued by
the CA. This process works because each certificate encapsulates the public key for the associated peer,
each certificate is authenticated by the CA, and all participating peers recognize the CA as an
authenticating authority. The process is called IKE with an RSA signature.
The peer can continue sending its certificate for multiple IPsec sessions, and to multiple IPsec peers,
until the certificate expires. When its certificate expires, the peer administrator must obtain a new one
from the CA.
CAs can also revoke certificates for peers that no longer participate in IPsec. Revoked certificates are
not recognized as valid by other peers. Revoked certificates are listed in a CRL, which each peer may
check before accepting a certificate from another peer.
Some CAs have an RA as part of their implementation. An RA is a server that acts as a proxy for the
CA, so that CA functions can continue when the CA is unavailable.
Key Pairs
Key pairs are RSA keys, which have the following characteristics:
RSA keys can be used for SSH or SSL.
SCEP enrollment supports the certification of RSA keys.