 |
Note: The following CAs are supported: Entrust, Microsoft, and Verisign. |
A digital certificate is an electronic means for verifying your identity through a trusted third party, known as a certificate authority (CA). Alternatively, you can use a self-signed certificate to attest to your identity. For details on self-signed certificates, see Understanding Self-Signed Certificates.
Before You Begin |
|---|
For background information, read Understanding Public Key Cryptography. |
The CA server you use can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. If you use an independent CA, you must contact them for the addresses of their CA and certificate revocation list (CRL) servers (for obtaining certificates and certificate revocation lists) and for the information they require when submitting personal certificate requests. When you are your own CA, you determine this information yourself.
|
Note: The following CAs are supported: Entrust, Microsoft, and Verisign. |
This topic covers:
The certificate authority (CA) that issues a certificate uses an MD5 or SHA-1 hash algorithm to generate a digest, then “ signs” the certificate by encrypting the digest with its private key. The result is a digital signature. The CA then makes the digitally signed certificate available for download to the person who requested it. Figure 66 illustrates this process.
The recipient of the certificate generates another digest by applying the same MD5 or SHA-1 hash algorithm to the certificate file, then uses the CA's public key to decrypt the digital signature. By comparing the decrypted digest with the digest just generated, the recipient is able to confirm the integrity of the CA's signature and, by extension, the integrity of the accompanying certificate. Figure 66 illustrates this process.
|
Note: If the issuer of the end-entity (EE) certificate is not a root certificate, up to eight levels are verified (as explained in Understanding Public Key Infrastructure). Revocation status of each certificate in the verification chain is also verified. A certificate revocation status is considered “ good” when its serial number is not in the CRL, which satisfies the refresh requirement per CA profile. |
Figure 66: Digital Signature Verification
The procedure for digitally signing messages sent between two participants in an Internet Key Exchange (IKE) session is similar to digital certificate verification, with the following differences:
