- IKE Overview
- Pre-Shared Keys
- RSA Signatures
- RSA Encryption
- Certificate Authorities and Digital Certificates
- How IPSec Works
Certificate Authorities and Digital Certificates
The distribution of keys in a public key scheme requires some trust. If the infrastructure is untrusted and control is questionable (such as on the Internet), distribution of keys is troublesome. RSA signatures are used by certificate authorities (CAs), which are trusted third-party organizations. VeriSign, Entrust, and Netscape are examples of companies that are providing digital certificates. A client registers with a certificate authority; after the CA verifies the client's credentials, a certificate is issued.
The digital certificate is a package containing information such as a certificate bearer's identity: his or her name or IP address, the certificate's serial number, the certificate's expiration date, and a copy of the certificate bearer's public key. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates, and is the standard that Cisco is supporting. Figure 2 identifies some key points of CA operation.
Figure 2 CAs and digital certificates.