2 certificates, Ertificates, It infrastructure rap/rac1000 – ADS-TEC RAP/RAC1000 User Manual User Manual
Page 163
IT Infrastructure RAP/RAC1000
© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen
163
12.2
C
ERTIFICATES
G
ENERAL
Certificates are for authentication of a computer or user and for encryption of a connection
(e.g. Open VPN, IPsec, web page). A certificate has first to be signed by a Certificate
Authority (CA) in order to be used for this purpose. For authentication the certificate of the
receiver is checked with the CA certificate. If the signature is valid and the CA is
trustworthy, then the receiver is deemed to be authenticated. A CA certificate is called
Root Certificate if it is the basis of authentication and has not been signed by another
authority (self-signed certificate). Such a Root CA can be used to sign subordinate CA
certificates. In this way a Chain of Trust is created the basis of which is the Root
Certificate.
For verification of a certificate signed by a CA which is no Root CA, the certificates of all
superordinate CAs must be available.
Example:
A Root CA (ads-tec Root CA) signs a subordinate sub CA (ads-tec ST-CA), which
in turn signs a Client Certificate for an OpenVPN connection. For verification of the Client
Certificate, the certificate of both „ads-tec ST CA“ as well as „ads-tec Root CA“ must be
available on the system.
ads-tec devices from the IT Infrastructure sector support such multi-step CA hierarchies. If
all CA certificates of the hierarchy are available, the certificate-based services (e.g.
OpenVPN, IPsec, radius) always verify the complete path of hierarchy. If a CA certificate of
the chain proves to be invalid, this also applies to all subordinate certificates.
To prevent misuse of lost or compromising certificates, a Certificate Revocation List (CRL)
can be issued by any CA. Certificates included in this list are even invalid if signed
correctly.