Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography





VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



The Certificate Authority - VPN Tutorial



When your opening a bank account you have to take a form of ID from a reliable source such as a passport or driving licence, well CA's provide this form of identity. We use digital signatures to form digital credential that we use over the internet to authenticate the identity of the person sending data in an IPSec arrangement, and these digital certificates are provided by CA's such as Verisign.

Verisign would send a certificate to each person or entity and digitally sign them with their (Verisign’s) private key that certifies the authenticity of the user. Certificates are then loaded and verified by end user’s.

For example Joe wants to communicate with Carl and so sends his certificate to Carl and Carl checks out the certificate's CA signature with Verisign. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the message is valid. Then Joe checks Carl’s certificate and if the certificate is fine and valid, the VPN process can be progressed.

All certificates are exchanged during the IPSec negotiation process. CA’s are the masterminds behind the public key infrastructure (PKI). The CA’s digital certificate is created with the CA’s private key, it’s the one that guarantees the authenticity.

Some examples of public CA's are Verisign, RSA, Entrust, Thwate, Baltimore.

Looking further into digital certificates and CA's, there are two parts to be aware of and can be confusing so below are the differences and the relationship;

Digital signature – Links a message or data to a sender’s private key. On the receiving end that encrypted hash can only be decrypted by using the sender’s public key.

Digital certificate – Bind or links a person or a corporate entity to a private key. Not the data or the message.

The relationship between a digital signature and digital certificate is a certificate could be used to link or bind a person or entity to a digital signature. Certificate is like the driver's licence and signature is like the credit card.

Further Reading

Wikipedia's guide to Certification Authority