2 certificates, Ertificates, It infrastructure rap/rac1000 – ADS-TEC RAP/RAC1000 User Manual User Manual

IT Infrastructure RAP/RAC1000

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

163

12.2

C

ERTIFICATES

G

ENERAL

Certificates are for authentication of a computer or user and for encryption of a connection
(e.g. Open VPN, IPsec, web page). A certificate has first to be signed by a Certificate
Authority (CA) in order to be used for this purpose. For authentication the certificate of the

receiver is checked with the CA certificate. If the signature is valid and the CA is
trustworthy, then the receiver is deemed to be authenticated. A CA certificate is called

Root Certificate if it is the basis of authentication and has not been signed by another
authority (self-signed certificate). Such a Root CA can be used to sign subordinate CA
certificates. In this way a Chain of Trust is created the basis of which is the Root

Certificate.

For verification of a certificate signed by a CA which is no Root CA, the certificates of all

superordinate CAs must be available.

Example:

A Root CA (ads-tec Root CA) signs a subordinate sub CA (ads-tec ST-CA), which

in turn signs a Client Certificate for an OpenVPN connection. For verification of the Client
Certificate, the certificate of both „ads-tec ST CA“ as well as „ads-tec Root CA“ must be

available on the system.

ads-tec devices from the IT Infrastructure sector support such multi-step CA hierarchies. If

all CA certificates of the hierarchy are available, the certificate-based services (e.g.
OpenVPN, IPsec, radius) always verify the complete path of hierarchy. If a CA certificate of
the chain proves to be invalid, this also applies to all subordinate certificates.
To prevent misuse of lost or compromising certificates, a Certificate Revocation List (CRL)
can be issued by any CA. Certificates included in this list are even invalid if signed

correctly.