04-10-2020 03:48 PM
Hi,
I have the below basic questions regarding IpSec VPN on PKI env.
My requirement is to Securely communicate my application running on Linux with several other Servers. Each servers are running with specific security configurations. I am using digital certificate for the authentication.
1. Do I need a separate certificate for creating IpSec vpn tunnels with all the servers?
2. In the case of a single certificate to create IpSec tunnels with all other servers, when one of the servers certificate is revoked, do I have to do anything from my end from authentication point of view?
3. In the case if a single certificate, if the certificate issuer is different from any of the servers certificate issuer, how will the validation takes place in IpSec mutual authentication phase?
4. Will single vs multiple certificate is better from security point of view. Multiple means More than one certificate with each certificate created specifically for a server.
Rgds
Simon
Solved! Go to Solution.
04-11-2020 04:13 AM
There is no single correct answer but many things to consider:
04-12-2020 12:20 AM
If you have three systems using this certificate and you revoke it, you need to renew this certificate on all three systems.
You will not directly lose traffic, but on the next authentication the connection will likely not come up. It will only have an effect if you enable the revocation-check on your system.
You can easily have certificates from different vendors. Just make sure that you import the proper root-certificate. Example:
A has a cert from CA-1, B has a cert from CA-2
A needs to import the root-cert CA-2 and B needs to import the root-cert CA1.
04-14-2020 12:44 AM
A CSR can also be generated offline with a tool like openssl. But yes, most often the CSR is generated on the system using the certificate.
When a system has the new certificate from the CA, it can authenticate itself to any system that has the corresponding root-certificate. The certificate is sent to the peer as part of the authentication-process.
04-11-2020 04:13 AM
There is no single correct answer but many things to consider:
04-11-2020 09:32 PM
Hi Karsten,
Thank you so much for the quick reply.
I agree that having individual certificates is the most secure but difficult administrate.
You mentioned- If you use shared certificates and you revoke it, all systems using this certificate need to reenrol a new certificate.
Are you saying that if I have only one certificate and used for connecting 3 different peers, and if my certificate revoke, all the other peers also needs to get a new certificate? So during the certificate renewal I will lose connection and it affect my data traffic?
Will there any issue if my peers use a different CA certificate issuer?
Rgds
Simon
04-12-2020 12:20 AM
If you have three systems using this certificate and you revoke it, you need to renew this certificate on all three systems.
You will not directly lose traffic, but on the next authentication the connection will likely not come up. It will only have an effect if you enable the revocation-check on your system.
You can easily have certificates from different vendors. Just make sure that you import the proper root-certificate. Example:
A has a cert from CA-1, B has a cert from CA-2
A needs to import the root-cert CA-2 and B needs to import the root-cert CA1.
04-12-2020 09:08 PM
Thank you so much for your answers.
I have one more last query.
you mentioned if the shared certificate is revoked, you need to renew this certificate on all three systems.
Are you saying that the renewal on the peers occur as part of the authentication procedure or do we need any CSR and manual certificate upload?
Thank for your time
04-13-2020 03:31 AM
Not sure if I get your question right ...
When the cert of an entity gets revoked, all future authentications of this entity will fail and you need to get a new certificate. Given that there is a reason that you have revoked the certificate (like key-compromise) you have to make sure that the new certificate uses different keys than the revoked certificate. You need to generate a new key-air, generate a new CSR based on these keys and apply for a new certificate with this CSR.
04-13-2020 12:42 PM
Hello Karsten,
Sorry for the confusion on my question.
My Query is about the new certificate creation. I believe the CSR is generated only in the system where it is revoked (or the key is compromised) and when it gets the new certificate all of its peers gets this during the authentication process?
04-14-2020 12:44 AM
A CSR can also be generated offline with a tool like openssl. But yes, most often the CSR is generated on the system using the certificate.
When a system has the new certificate from the CA, it can authenticate itself to any system that has the corresponding root-certificate. The certificate is sent to the peer as part of the authentication-process.
04-20-2020 11:43 AM
Hello Karsten,
1. If my system needs to connect to three other security gateways, and 1 radius server, Can I have only one certificate for all these gateways and radius server?
2. Since I am not using OCSP, do I need to get the CRLs for root CA, SCA crl etc ?
Rgds
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide