- Enterasys Security Router User's Guide
Describing Public-Key Infrastructure (PKI)
14-6 Configuring the Virtual Private Network
data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data,
then uses your private key to encrypt the hash. The encrypted hash, along with other information,
such as the hashing algorithm, is known as a digital signature.
Certificates
A certificate is an electronic document to identify an individual, server, company, or other entity
and associate that identity with a public key. Like a driver's license, a passport, or other personal
IDs, a certificate provides proof of a person's identity. PKI uses certificates to address the problem
of impersonation. Certificates are similar to these familiar forms of ID.
Certificate Authorities (CAs) validate identities and issue certificates. They can be either
independent third parties or organizations running their own certificate-issuing server software.
The XSR supports the Microsoft CA.
The methods used to validate an identity vary depending on the policies of a given CA - just as the
methods to validate other forms of identification vary depending on who is issuing the ID and the
purpose for which it will be used. In general, before issuing a certificate, the CA must use its
published verification procedures for that type of certificate to ensure that an entity requesting a
certificate is in fact who it claims to be.
The certificate issued by the CA binds a particular public key to the name of the entity the
certificate identifies (such as an employee or server name). Certificates help prevent the use of fake
public keys for impersonation. Only the public key certified by the certificate will work with the
corresponding private key possessed by the entity identified by the certificate.
In addition to a public key, a certificate always includes the name of the entity it identifies, an
expiration date, the name of the CA that issued the certificate, a serial number, and other data.
Most importantly, a certificate always includes the digital signature of the issuing CA. The CA's
digital signature allows the certificate to function as a letter of introduction for users who know and
trust the CA but don't know the entity identified by the certificate.
Machine Certificates for the XSR
Certificates can be used by the IKE subsystem to establish SAs for IKE/IPSec tunneling. Key data
in the certificates is used to identify other IPSec clients to the XSR and vice versa. In order to utilize
certificates on the XSR you must manually collect the certificates for one or more CAs (depending
on your configuration) and enroll a certificate for the router. Certificates for CAs identified as CA
certificates and certificates representing an IPSec client are identified as IPSec client certificates.
The XSR uses the SCEP protocol to retrieve certificates for the XSR and any CA that may exist in
the XSR’s or peer’s certificate chain.
Certificate Revocation Lists (CRLs) are used to ensure that both the XSR and any peer certificate
are currently valid. CRLs list all certificates that have been revoked by CAs before their natural
expiration occurs. The XSR must validate every IPSec certificate it uses against current CRLs
available from CAs in the IPSec client certificate chain.
Caution: We recommend that you do not enroll more certificates than permitted by the 1.5 MByte
system limit imposed on the
cert.dat file. Doing so may render the XSR unstable and require
you to delete the file.
Note: MS Windows SCEP service delivered with the Windows 2000 OS requires updating to the
latest Microsoft patch for SCEP.