Certification Authorities
IKE interoperates with X.509v3 certificates for authentication that requires public keys.
Certification authorities (CA) manage certificate requests, issue digital certificates, and
publish certificate revocation lists (CRL) to list certificates that are no longer valid. A digital
certificate contains information about the user or device and includes a copy of its public key.
This technology enables IPSec-protected networks to scale, because the peers simply
exchange digital certificates that have been authenticated by a CA, removing the requirement
to configure the preshared key manually for each IPSec peer. The PIX interoperates with CA
server products from the following vendors:
■ Baltimore Technologies
■ Entrust Corporation
■ Microsoft Corporation
■ VeriSign
After ensuring that you have correctly configured the firewall host name, domain name, and
the system date/time, you can initiate enrollment with a CA server. It is important that your
date and time are correctly configured so that you can verify the validity of the certificate
when received. The process that a PIX uses to enroll with a CA server is as follows:
Step 1 The firewall generates an RSA key pair.
Step 2 The firewall contacts the CA server and obtains the CA server’s certificate,
which contains the public key.
Step 3 The firewall requests a signed certificate from the CA server using the generated
key and the public key from the CA.
Step 4 The CA administrator verifies the request and returns the signed certificate.