PKI infrastructure and digital certificates

A PKI infrastructure is a centralized key management system that

  • provides defined policies, procedures, and roles supporting public key cryptography

  • generates, verifies, and revokes public key certificates, commonly known as digital certificates, and

  • manages key pairs consisting of public and private keys for VPN endpoints to sign and encrypt messages.

Public key cryptography and certificate components

In public key cryptography, each endpoint of a connection has a key pair consisting of both a public and a private key. The key pairs are used by the VPN endpoints to sign and encrypt messages. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other, securing the data flowing over the connection.

Generate a general-purpose RSA, ECDSA, or EDDSA key pair for signing and encryption. Alternatively, generate separate key pairs for each purpose. Separate signing and encryption keys help to reduce key exposure. SSL uses a key for encryption, while IKE uses a key for signing. Separate keys for each purpose minimize exposure.

Certificates also ensure non-repudiation by providing proof that communication between two peers occurred.

You can obtain CA certificates by:

  • Using the Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST) to retrieve the CA's certificate from the CA server

  • Manually copying the CA's certificate from another participating device

Trustpoints represent the object representation of a CA and associated certificates. A trustpoint includes the identity of the CA, CA-specific parameters, and an association with a single enrolled identity certificate.

A PKCS#12, or PFX, file holds the server certificate, any intermediate certificates, and the private key in one encrypted file. This type of file may be imported directly into a device to create a trustpoint.

A CA may also revoke certificates for peers that no longer participate in your network. Revoked certificates are either managed by an Online Certificate Status Protocol (OCSP) server or are listed in a certificate revocation list (CRL) stored on an LDAP server. A peer may check these before accepting a certificate from another peer.

Digital certificates or identity certificates

When you use digital certificates as the authentication method for VPN connections, peers are configured to obtain digital certificates from a Certificate Authority (CA). CAs are trusted authorities that sign certificates to verify their authenticity, thereby guaranteeing the identity of the device or user.

Digital certificates contain these components:

  • The digital identification of the owner for authentication, such as name, serial number, company, department, or IP address.

  • A public key needed to send and receive encrypted data to the certificate owner.

  • The secure digital signature of a CA.

The certificate enrollment process includes these steps:

  1. CA servers manage public CA certificate requests and issue certificates to participating network devices as part of a PKI.

  2. Each participating device enrolls individually with a CA server, which validates identities and creates an identity certificate.

  3. Each participating peer sends their identity certificate to the other peer to validate their identities and establish encrypted sessions with the public keys contained in the certificates.

Certificate enrollment

Using a PKI improves the manageability and scalability of your VPN because you do not have to configure preshared keys between all encrypting devices. Instead, enroll each participating device with a CA server, which validates identities and creates an identity certificate for the device. After completing enrollment, each participating peer sends its identity certificate to the other peer to validate their identities and establish encrypted sessions with the public keys contained in the certificates. For more information about enrolling Firewall Threat Defense device certificates, refer to Certificate Enrollment Objects.

Certificate authority certificates

In order to validate a peer’s certificate, each participating device must retrieve the CA's certificate from the server. A CA certificate is used to sign other certificates. It is self-signed and called a root certificate. This certificate contains the CA's public key, which you use to decrypt and validate the CA's digital signature and the contents of the received peer's certificate.

To obtain the CA certificate:

  • Use the Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST) to retrieve the CA’s certificate from the CA server

  • Manually copy the CA's certificate from another participating device

Trustpoints

Once enrollment is complete, a trustpoint is created in the managed device. It is the object representation of a CA and associated certificates. A trustpoint includes the identity of the CA, CA-specific parameters, and one enrolled identity certificate.

PKCS#12 file

A PKCS#12 file, or PFX file holds the server certificate, intermediate certificates, and the private key in one encrypted file. This type of file may be imported directly into a device to create a trustpoint.

Revocation checking

A CA may also revoke certificates for peers that no longer participate in your network. Revoked certificates are either managed by an Online Certificate Status Protocol (OCSP) server or are listed in a certificate revocation list (CRL) stored on an LDAP server. A peer may check these before accepting a certificate from another peer.