Ra mode, Ra mode -8, Figure 14-4 – Enterasys Networks Security Router X-PeditionTM User Manual

Page 330

Advertising
background image

Describing Public-Key Infrastructure (PKI)

14-8 Configuring the Virtual Private Network

Figure 14-4 Certificate Chain Example

A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the
hierarchy. In a certificate chain, the following occurs:

Each certificate is followed by the certificate of its issuer.

Each certificate contains the name of that certificate's issuer, which is the same as the subject
name of the next certificate in the chain.

In

Figure 14-4

, the Admin CA certificate contains the name of the CA (that is, US CA) that

issued that certificate. USA CA's name is also the subject name of the next certificate in the
chain.

Each certificate is signed with the private key of its issuer. The signature can be verified with
the public key in the issuer's certificate, which is the next certificate in the chain.

In

Figure 14-4

, the public key in the certificate for the U.S. CA can verify the U.S. CA's digital

signature on the certificate for the Admin CA.

The XSR will automatically verify the certificate chain structure associated with any IPSec client
certificate once it manually collects certificates for all CAs in the chain. This includes the chain that
exists for the certificate enrolled by the XSR and chains for any IPSec peer who will establish
tunnels with the router. They must be collected manually but are automatically chained together
using information in the CA Client certificates. You do not have to manually create these chains.

CA certificates are stored in a local certificate database. The XSR's IPSec client certificate is
enrolled in a CA with

SCEP enroll

and stored in the local certificate DB. Certificates for peer

IPSec clients are passed to the XSR by IKE, used to authenticate the peer, then discarded.

RA Mode

Some CA implementations distribute the CA's operation/authentication of clients to RA agents -
the Microsoft CA implements its CA this way. The XSR will automatically adjust to the CA's mode
of operation: you need not specify whether your CA uses RA mode or not. If your CA uses RA
mode you will notice more than one certificate for the CA after you authenticate against it.

Marketing CA

Root CA

U.S. CA

Europe CA

Sales CA

Admin CA

Asia CA

Program

verifying the

certificate

Certificate

issued by

CA certificate

signed by self

CA certificate

signed by

Root CA

CA certificate

signed by

Trusted authority

Admin CA

U.S. CA

Intermediate authority

Intermediate authority

Advertising
Popular Brands
Popular manuals