- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

321

322

323

324

325

326

327

328

329

330

Describing Public-Key Infrastructure (PKI)

14-8 Configuring the Virtual Private Network

Figure 14-4 Certificate Chain Example

A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the

hierarchy. In a certificate chain, the following occurs:

• Each certificate is followed by the certificate of its issuer.

• Each certificate contains the name of that certificate's issuer, which is the same as the subject

name of the next certificate in the chain.

In Figure 14-4, the Admin CA certificate contains the name of the CA (that is, US CA) that

issued that certificate. USA CA's name is also the subject name of the next certificate in the

chain.

• Each certificate is signed with the private key of its issuer. The signature can be verified with

the public key in the issuer's certificate, which is the next certificate in the chain.

In Figure 14-4, the public key in the certificate for the U.S. CA can verify the U.S. CA's digital

signature on the certificate for the Admin CA.

The XSR will automatically verify the certificate chain structure associated with any IPSec client

certificate once it manually collects certificates for all CAs in the chain. This includes the chain that

exists for the certificate enrolled by the XSR and chains for any IPSec peer who will establish

tunnels with the router. They must be collected manually but are automatically chained together

using information in the CA Client certificates. You do not have to manually create these chains.

CA certificates are stored in a local certificate database. The XSR's IPSec client certificate is

enrolled in a CA with

SCEP enroll and stored in the local certificate DB. Certificates for peer

IPSec clients are passed to the XSR by IKE, used to authenticate the peer, then discarded.

RA Mode

Some CA implementations distribute the CA's operation/authentication of clients to RA agents -

the Microsoft CA implements its CA this way. The XSR will automatically adjust to the CA's mode

of operation: you need not specify whether your CA uses RA mode or not. If your CA uses RA

mode you will notice more than one certificate for the CA after you authenticate against it.

Marketing CA

Root CA

U.S. CA

Europe CA

Sales CA

Admin CA

Asia CA

Program

verifying the

certificate

Certificate

issued by

CA certificate

signed by self

CA certificate

signed by

Root CA

CA certificate

signed by

Trusted authority

Admin CA

U.S. CA

Intermediate authority