Configuring Virtual Private Networking (VPN) Configure Internet Protocol security (IPsec)
Digi TransPort® Routers User Guide
522
Use X.509 certificates with IPsec tunnels
The previous discussion of IPsec tunnel configuration implemented security between two points of the
tunnel by using a “pre-shared secret” or password. Certificates provide this sort of mechanism, but
without the need to manually enter or distribute secret keys. To summarize, a user’s certificate is
similar to a passport, providing proof that the user is who they say they are and enclosing details of
how to use that certificate to decrypt data encoded with it. However, passports can be forged, so
there also needs to be proof that the passport has been properly issued and hasn’t been changed
since it was. On a paper passport, this is achieved by covering the photograph with a coating that
shows if it has been tampered with, embedding the user’s name in code in a long string of numbers,
etc. In the same way, for a Security Certificate to be genuine, it must be protected from alteration as
well. Like a passport, you also have to trust that the issuer is authorized and competent to create the
certificate.
Certificates use something called a “Public/Private Key Pair.” This a complex area but the principle is
that you can create an encryption key made up from two parts, one private (known only to the user),
the other public (known to everyone). Messages encrypted with someone’s public key can only be
recovered by the person with the Public AND Private key but as encrypting the message to someone
in the first place only requires that you know their public key, anyone who knows that can send them
an encrypted message, so you can send a secure message to someone knowing only their publicly
available key. You can also prove who you are by including in the message your “identity” whereupon
they can look up the certified public key for that identity and send a message back that only you can
understand. The important principles are:
n Your private key cannot be determined from your public key.
n You both need to be able to look up the other’s certified ID.
Once you have established a two-way secure link, you can use it to establish some rules for further
communication.
Before this gets any more complicated, let us assume Digi International is a competent authority to
issue certificates, and examine how certificates work.
Generally, the issuing and management of certificates will be provided as a managed service by Digi or
its partners, but some general information is provided here for system administrators.
Certificates are held in non-volatile files on the router. Any private files are named privxxxx.xxx and
cannot be copied, moved, renamed, uploaded or typed. This is to protect the contents. They can be
overwritten by another file, or deleted.
Two file formats for certificates are supported:
n PEM: Privacy Enhanced MIME
n DER: Distinguished Encoding Rules
Certificate and key files should be in one of these two formats, and should have an extension of.pem
or .der respectively.
Note The equivalent filename extension for .pem files in Microsoft Windows is .cer. By renaming.pem
certificate files to .cer, it is possible to view their makeup under Windows.
The router maintains two lists of certificate files.
n The first is a list of “Certificate Authorities” or CAs. The router uses the files in this list to
validate public certificates sent by remote users. Public certificates must be signed by one of
the certificates in the CA list before the router can validate them. Certificates with the
To Next Page
Loading...
Need help?
General
