Ca hierarchies, Certificate chains, Ca hierarchies -7 certificate chains -7 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 329

Advertising
background image

Describing Public-Key Infrastructure (PKI)

XSR User’s Guide 14-7

CRL checking is not optional. CRLs are collected automatically by the XSR using information
available in the IPSec and CA certificates it has already collected.

Two methods are available to perform this collection:

HTTP Get issues an HTTP-based request to collect the certificate.

LDAP issues URL requests to collect CRLs.

Most CAs can be configured to use either or both of these CRL retrieval mechanisms. The XSR
automatically uses one method or the other based on information stored in the certificates.

CA Hierarchies

In large organizations, it may be advantageous to delegate the responsibility for issuing
certificates to several different CAs. For example, the number of certificates required may be too
large for a single CA to maintain; different organizational units may have different policy
requirements; or it may be important for a CA to be physically located in the same geographic area
as the people to whom it is issuing certificates.

It is also possible to delegate certificate-issuing responsibilities to subordinate CAs. The X.509
standard includes a model for setting up a hierarchy of CAs. As shown in

Figure 14-3

, the root CA

is at the top of the hierarchy. The root CA's certificate is a self-signed certificate: that is, the
certificate is digitally signed by the same entity - the root CA - that the certificate identifies.

Figure 14-3 Sample Hierarchy of CAs

The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA.
CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher-
level subordinate CAs.

Certificate Chains

CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued
by successive CAs.

Figure 14-4

shows a certificate chain leading from a certificate that identifies

some entity through two subordinate CA certificates to the CA certificate for the root CA (based
on the CA hierarchy shown in

Figure 14-4

).

Marketing CA

Root CA

Subordinate CA

US CA

Europe CA

Sales CA

Admin CA

Asia CA

Subordinate CA

Subordinate CA

Subordinate CA

Subordinate CA

Subordinate CA

Certificate

issued by

Admin CA

Advertising