Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks X-PeditionTM manual RA Mode, Certificate Chain Example

Models: X-PeditionTM

1 466
Download 466 pages 52.77 Kb
Page 330
Image 330

Describing Public-Key Infrastructure (PKI)

Figure 14-4 Certificate Chain Example

 

Root CA

CA certificate

 

 

 

signed by self

 

 

 

 

 

 

 

Trusted authority

 

 

 

 

 

 

U.S. CA

CA certificate

Asia CA

Europe CA

 

signed by

 

 

 

Intermediate

 

Root CA

 

 

 

authority

 

 

 

 

 

CA certificate

Sales CA

Marketing CA

 

Admin CA

signed by

 

U.S. CA

 

 

 

 

 

 

 

 

Intermediate

authority

 

Program

 

 

 

 

verifying the

 

Certificate

 

certificate

 

issued by

 

 

 

 

 

Admin CA

A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occurs:

Each certificate is followed by the certificate of its issuer.

Each certificate contains the name of that certificate's issuer, which is the same as the subject name of the next certificate in the chain.

In Figure 14-4, the Admin CA certificate contains the name of the CA (that is, US CA) that issued that certificate. USA CA's name is also the subject name of the next certificate in the chain.

Each certificate is signed with the private key of its issuer. The signature can be verified with the public key in the issuer's certificate, which is the next certificate in the chain.

In Figure 14-4, the public key in the certificate for the U.S. CA can verify the U.S. CA's digital signature on the certificate for the Admin CA.

The XSR will automatically verify the certificate chain structure associated with any IPSec client certificate once it manually collects certificates for all CAs in the chain. This includes the chain that exists for the certificate enrolled by the XSR and chains for any IPSec peer who will establish tunnels with the router. They must be collected manually but are automatically chained together using information in the CA Client certificates. You do not have to manually create these chains.

CA certificates are stored in a local certificate database. The XSR's IPSec client certificate is enrolled in a CA with SCEP enroll and stored in the local certificate DB. Certificates for peer IPSec clients are passed to the XSR by IKE, used to authenticate the peer, then discarded.

RA Mode

Some CA implementations distribute the CA's operation/authentication of clients to RA agents - the Microsoft CA implements its CA this way. The XSR will automatically adjust to the CA's mode of operation: you need not specify whether your CA uses RA mode or not. If your CA uses RA mode you will notice more than one certificate for the CA after you authenticate against it.

14-8 Configuring the Virtual Private Network

Page 329 Page 331
Page 330
Image 330
Enterasys Networks X-PeditionTM manual RA Mode, Certificate Chain Example
Page 329 Page 331