Public Key Cryptography
Obtaining the public key of a sender is normally handled out-of-band or through an operation performed
at installation. For example, most web browsers are configured with the root certificates of several CAs
by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate
peer devices before setting up security associations.
Certificate Scalability
Without digital certificates, you must manually configure each IPSec peer for every peer with which it
communicates, and every new peer you add to a network would then require a configuration change on
every peer with which you need it to communicate securely.
When you use digital certificates, each peer is enrolled with a CA. When two peers try to communicate,
they exchange certificates and digitally sign data to authenticate each other. When a new peer is added
to the network, you enroll that peer with a CA and no other peers need modification. When the new peer
tries an IPSec connection, certificates are automatically exchanged and the peer can be authenticated.
With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and
performing some public key cryptography. Each peer sends its unique certificate that was issued by the
CA. This process works because each certificate encapsulates the public key for the associated peer, each
certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating
authority. This is called IKE with an RSA signature.
The peer can continue sending its certificate for multiple IPSec sessions, and to multiple IPSec peers,
until the certificate expires. When its certificate expires, the peer administrator must obtain a new one
from the CA.
CAs can also revoke certificates for peers that no longer participate in IPSec. Revoked certificates are
not recognized as valid by other peers. Revoked certificates are listed in a CRL, which each peer may
check before accepting a certificate from another peer.
Some CAs have an RA as part of their implementation. An RA is a server that acts as a proxy for the CA
so that CA functions can continue when the CA is unavailable.
About Key Pairs
Key pairs are RSA keys, which can be used for SSH or SSL connections, have the following
characteristics:
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
12-2
For the purposes of generating keys, the maximum key modulus for RSA keys is 2048 bits. The
default size is 1024 bits. Many SSL connections using identity certificates with RSA key pairs that
exceed 1024 bits can cause a high CPU usage on the FWSM and rejected clientless logins.
For signature operations, the supported maximum key size is 4096 bits.
You can generate a general-purpose RSA key pair, used for both signing and encryption, or you can
generate separate RSA key pairs for each purpose.
Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a
key for encryption but not signing, while IKE uses a key for signing but not encryption.
Chapter 12
Configuring Certificates
OL-20748-01