Summary

Previous page
Table of content
Next page

Digital certificates offer a significant advantage over preshared keys. Specifically, preshared keys do not have any intrinsic ties to the IPSec entity on which they are configured. With digital certificates, you validate your identity to a certificate authority (CA) which, in turn, issues an identity digital certificate containing your identification information, your public key, and information of the issuing CA. With this identity certificate, your identification is bound to your keys like a digital ID that you can use to authenticate to your IPSec peers. In addition, preshared keys involve significant configuration when adding additional IPSec peers or when the preshared key becomes compromised. With digital certificates, you can maintain a list of compromised certificates via CRLs, and the process of adding additional IPSec peers does not require a momentous configuration change on all devices.

Certificate authorities are the heart of a PKI design. These designs may contain a central structure in which there is only a single root CA. However, in large-scale networks, it is possible to have a tiered or hierarchical CA structure in which CA responsibilities are offloaded to subordinate CAs and registration authorities.

When a device receives a digital certificate, it must validate the certificate to ensure the identity of the connecting IPSec peer. To confirm the certificate, the IPSec peer must validate the CA's signature on the certificate by using the server's public key from an installed certificate on the machine. In addition, it examines the validity dates and compares them against its own system clock to make certain that the certificate has not expired. Finally, if enabled, the authenticating host might have the capability to check whether the digital certificate's serial number matches the serial number on an issued certificate revocation list.

To configure the Cisco VPN 3000 Concentrator to support X.509 digital certificates, you can generate a PKCS#10 request from the concentrator, which needs to be either manually uploaded and downloaded from the CA or automatically synchronized through the use of the SCEP protocol. It is imperative to load the root certificate before the identity certificate so the identity certificate can be validated by the root CA's public key. After the certificates are loaded on the concentrator, you must change the IKE proposal to entail RSA or DSA certificates. In addition, you must apply that IKE proposal and identity certificate to a IPSec SA.


Previous page
Table of content
Next page
CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185
Authors: David Minutella
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
C++ How to Program (5th Edition)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
What is Lean Six Sigma
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy