Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography





VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



Digital Certificates - VPN Tutorial



Public Key Authentication

Like Pre-shared keys, using digital certificates is another way to prove you are authenticated. It proves you are who you say you are, or your VPN Firewall is who it says it is. A digital certificate is an electronic document and is obtained by a reputable Certification Authority (CA) who manages such certificates. Verisign is an example of a Certification Authority. If two peers accept each other’s digital certificates, they trust each others identity, though they trust that the opposite peer is who they say they are.

When a CA issues a certificate to a VPN device then it is guaranteeing the VPN device is who it claims to be and it does this by signing the certificate it assigns and provides to the VPN device.

A real life comparison would be like humans having identity cards such as a driving licence, a passport, etc. A digital certificate plays the same role for authenticating devices proving they are who they say they are by exposing their certificates (Their version of a passport/driving licence) to peer devices.

Remember that the certificates presented and it’s certificate authority who issued the certificate must be trusted. If a remote party does not trust your certificate authority or does not know your CA, then your identity may not be trusted. Certificates issued by a known provider such as Verisign is going to be trusted by everyone, but certificates issued by small CA’s could easily not be trusted.

In a real world scenario, if you were shown ID from a human being using their DVLA driving license you would feel confident they are who they say they are, having an ID issued by DVLA. However on the other hand if they were to show you their employee ID from company Joe Bloggs, or some other random ID you would most likely feel a little suspicious.

How this works is, you are issued a certificate from a CA. When you pass your certificate to a peer, they check your certificate against the CA certificate which is cryptographically tied with your certificate, and if they match, then the remote peer would trust your identity. You would also take the same steps in checking your remote peer’s identity.

Further Reading

Wikipedia's guide to Public Key Certificates