The Certificate Authority - VPN Tutorial
When your opening a bank account you have to take a form of ID from a reliable source such as a passport or driving licence, well CA's provide this form of identity. We use digital signatures to form digital credential that we use over the internet to authenticate the identity of the person sending data in an IPSec arrangement, and these digital certificates are provided by CA's such as Verisign.
Verisign would send a certificate to each person or entity and digitally sign them with their (Verisign’s) private key that certifies the authenticity of the user. Certificates are then loaded and verified by end user’s.
For example Joe wants to communicate with Carl and so sends his certificate to Carl and Carl checks out the certificate's CA signature with Verisign. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the message is valid. Then Joe checks Carl’s certificate and if the certificate is fine and valid, the VPN process can be progressed.
All certificates are exchanged during the IPSec negotiation process. CA’s are the masterminds behind the public key infrastructure (PKI). The CA’s digital certificate is created with the CA’s private key, it’s the one that guarantees the authenticity.
Some examples of public CA's are Verisign, RSA, Entrust, Thwate, Baltimore.
Looking further into digital certificates and CA's, there are two parts to be aware of and can be confusing so below are the differences and the relationship;
Digital signature – Links a message or data to a sender’s private key. On the receiving end that encrypted hash can only be decrypted by using the sender’s public key.
Digital certificate – Bind or links a person or a corporate entity to a private key. Not the data or the message.
The relationship between a digital signature and digital certificate is a certificate could be used to link or bind a person or entity to a digital signature. Certificate is like the driver's licence and signature is like the credit card.
Wikipedia's guide to Certification Authority