When using IPSec with a CA, configuring keys among all the
potential IPSec peers isn’t necessary. Instead, each participating device is
individually enrolled with the CA, requesting a certificate for the device. Once
this is done, each participating device can dynamically authenticate itself to
all the other participating peers.
Adding a new IPSec device to an existing network is similarly
simplified. In each case, it’s only necessary to configure the new device to
request a certificate from the CA.
How CA Certs Are
Used by IPSec Peers
As you learned in Chapter 9, any time two IPSec peers
want to establish an IPSec-protected communication session between them, they
must first authenticate each other. This authentication is done with IKE and,
without it, IPSec protection can’t occur.
Without a CA, the peers authenticate themselves to the remote
peer, using either preshared keys (Chapter 10) or RSA-encrypted nonces (see the section “RSA Encrypted Nonces
Overview.”) Both methods require previously configured keys on both peers.
PIX Firewall devices currently don’t support RSA-encrypted nonces.
With a CA, each peer authenticates itself by sending a valid
digital certificate to the remote peer. The peer’s unique certificate was issued
and validated by the CA, encapsulates the peer’s public key and IDs, and works
because all participating peers recognize the CA as an authenticating authority.
This process is called IKE with an RSA signature.
Each peer can continue sending its own certificate for additional
IPSec sessions, as well as to additional IPSec peers, until the certificate
expires. When a certificate expires, the peer administrator must request a new
one from the CA.
Certificate Revocation List (CRL)
CAs can revoke otherwise valid certificates for peers that
will no longer participate in IPSec. These revoked certificates are listed in a
certificate revocation list (CRL), which each peer can check before accepting
another peer’s certificate. Revoked certificates, like expired passports or
driver’s licenses, aren’t recognized as valid by other peers.
Registration Authority (RA)
Some CAs extend their reliability and availability by
supporting registration authority (RA) as part of their implementation. An RA is a server that acts as a proxy for the CA, so CA
functions can continue when the CA is offline or otherwise