Configuring Affidavit Ascendancy Support
Use of CAs is actual accessible back you charge to configure a ample and scalable network
of commutual peers, area aeon can be added or removed at any time.
If you configured a arrangement with IKE application pre-shared keys, you would charge to
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 355
change the agreement of several firewalls anniversary time a new one is added or
removed. CAs accommodate an accessible adjustment for configuring complicated networks.
The capital advantage is that anniversary associate is configured alone and independently
from others.When accessible key certificates are acclimated for acceptance parties in
IKE, anniversary associate has a affidavit of its own and presents it to its counterpart
during the IKE affidavit phase.The added ancillary verifies the actuality and
validity of this affidavit by consulting a CA and, if aggregate is all right, IKE
authentication is successful.The CA can either be a apparatus accessible on your
network or you can use a trusted alien authority. In our example, we use an
external VeriSign server that has an IP abode of 205.139.94.230.
Enrollment is a circuitous action and includes the after steps:
1. The PIX generates its own RSA public/private key pair.
2. The PIX requests the CA’s accessible key and certificate.This charge either
be done over a defended approach or be arrested by some offline means—
for example, by comparing affidavit fingerprints.
3. The PIX submits a appeal for a new certificate.This appeal includes
the accessible key generated at Step 1 and is encrypted with the CA’s public
key acquired in Step 2.
4. The CA’s ambassador verifies the requester’s character and sends out a
new certificate.This affidavit is active by the CA, so its authenticity
can be absolute by anybody who has a archetype of the CA’s certificate.
NOTE
Before configuring CA abutment on the PIX, accomplish abiding that its internal
clock and time area accept been set correctly.
You charge to adjudge if you will be application affidavit abolishment lists (CRLs).
These lists are maintained by some CAs as agency of blockage for revoked certificates.
If you about-face on CRL support, afore anniversary affidavit is accustomed it will be
checked adjoin this list.This requires that a affiliation amid the firewall and
the CA charge be accessible at the time of authentication, which is not consistently possible.
If you do not use CRLs, you alone charge connectivity with CA during
enrollment, and all affidavit of certificates after is done application the CA’s
public certificate, which the firewall acquired from CA during enrollment.