Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Terminology

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Digital Certificates - IPsec VPN Tutorial

 

 

Similar to using pre-shared keys to provide authentication, using digital certificates is another method to prove you are who you claim to be. In the case of VPN gateway devices, your VPN Firewall will use a digital certificate to prove it is the device it claims to be. A digital certificate is an electronic document and is obtained by a public Certification Authority (CA) who manages such certificates. Verisign is an example of a reputable Certification Authority. If two peers accept each other’s digital certificates, they trust each other's identity, though they trust that the opposite peer is who they say they are.

When a CA such as Verisign, issues a certificate to a VPN device, then it is guaranteeing the VPN device is who it claims to be and it does this by signing the certificate it assigns and provides to the VPN device.

In a real life comparison, it compares to people who have identity cards such as a driving licences and passports. A digital certificate plays the same role for authenticating devices proving they are who they say they are by exposing their certificates (Their version of a passport/driving licence) to peer devices.

The certificate presented and its certificate authority who issued the certificate must be trusted by the peer device. If a remote party does not trust your certificate authority or does not know your CA, then your identity will not be trusted. Certificates issued by a known provider such as Verisign is typically going to be trusted by everyone, but certificates issued by smaller CA’s could easily not be trusted by a particular VPN gateway device. However, this is usually easy to fix by manually trusting the CA by importing its certificate into the VPN device.

Although out of scope of this article, there are other methods of using digital certificates with Certificate Authorities, where you don't always have to use a public Certificate Authority service; you can alternatively use a private internal Certificate Authority services within an organisation, or by using a Certificate Authority built into a VPN device.

In a real world scenario, if you were shown an ID from a person using his/her DVLA driving license, you would feel confident the person is who he/she claims to be. However on the other hand, if he/she was to show you his/her employee ID from the company he/she works for, or another random ID, you would most likely feel a little suspicious. It just doesn't hold the credibility as an official passport or driving licence.

How this works is, you are issued a certificate from a CA. When you pass your certificate to a peer, they check your certificate against the CA certificate which is cryptographically tied with your certificate, and if they match, then the remote peer would trust your identity. You would also take the same steps in checking your remote peer’s identity.

Further Reading

Wikipedia's guide to Public Key Certificates