Panasonic NN46110-600 User Manual
Page 95
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Chapter 3 Using certificates 85
Figure 14
CA Key Update ready for authentication
Prior to a key update, the original CA certificate (which is a self-signed root
certificate in the diagram above) is pushed out to the directory by the CA, along
with the CRL it produced (a list of revoked certificates, digitally signed by the CA
certificate). Both the VPN Router and the user’s PC have certificates signed by
that CA, as well as the self-signed CA certificate itself. The user authenticates the
VPN Router certificate because it has the original CA certificate that created the
VPN Router certificate stored locally. Likewise, the VPN Router authenticates the
user because it has the CA certificate that issued the user certificate. The VPN
Router can also verify that the user’s certificate is not revoked, because it was
configured to periodically retrieve the latest CRL from the directory. It can
authenticate that CRL because it has the CA certificate that signed it.
After a CA Key Update occurs, the directory contains four certificates:
•
the original self-signed
•
the new self-signed
•
two cross certificates
From this point forward, all CRL’s issued by the CA are signed by the updated
CA.
Nortel VPN Router Security — Servers, Authentication, and Certificates