- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

321

322

323

324

325

326

327

328

329

330

Describing Public-Key Infrastructure (PKI)

XSR User’s Guide 14-7

CRL checking is not optional. CRLs are collected automatically by the XSR using information

available in the IPSec and CA certificates it has already collected.

Two methods are available to perform this collection:

• HTTP Get issues an HTTP-based request to collect the certificate.

• LDAP issues URL requests to collect CRLs.

Most CAs can be configured to use either or both of these CRL retrieval mechanisms. The XSR

automatically uses one method or the other based on information stored in the certificates.

CA Hierarchies

In large organizations, it may be advantageous to delegate the responsibility for issuing

certificates to several different CAs. For example, the number of certificates required may be too

large for a single CA to maintain; different organizational units may have different policy

requirements; or it may be important for a CA to be physically located in the same geographic area

as the people to whom it is issuing certificates.

It is also possible to delegate certificate-issuing responsibilities to subordinate CAs. The X.509

standard includes a model for setting up a hierarchy of CAs. As shown in Figure 14-3, the root CA

is at the top of the hierarchy. The root CA's certificate is a self-signed certificate: that is, the

certificate is digitally signed by the same entity - the root CA - that the certificate identifies.

Figure 14-3 Sample Hierarchy of CAs

The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA.

CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher-

level subordinate CAs.

Certificate Chains

CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued

by successive CAs. Figure 14-4 shows a certificate chain leading from a certificate that identifies

some entity through two subordinate CA certificates to the CA certificate for the root CA (based

on the CA hierarchy shown in Figure 14-4).

Marketing CA

Root CA

Subordinate CA

US CA

Europe CA

Sales CA

Admin CA

Asia CA

Subordinate CA

Certificate

issued by

Admin CA