Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2166
Views
5
Helpful
3
Replies

Difference between PKI and RSA-signatures

Go to solution
abhijith891
Level 1
Level 1

‎08-20-2018 04:52 AM - edited ‎03-12-2019 05:29 AM

Hi all, I believe the 3 authentication methods in a Site-Site VPN are PSK, PKI and RSA-sig. But I am not very clear about how different PKI and RSA Sig mechanisms are from each other. So can someone please explain the difference between same?

 

Regards,

Abhijit

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Graham Bartlett
Cisco Employee
Cisco Employee

‎08-20-2018 05:35 AM

Hi
RSA-Sig is basically using RSA Nonces(which are only used in IKEv1, not IKEv2), take a look here;

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=5

In summary you have the peers public key, but this is just the key and not sent in a certificate (like in PKI). So you need to manually configure all peers public keys that you want to talk to. PKI overcomes this limitations by using a CA.

cheers

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-20-2018 05:09 AM

Hi,

A Site-to-Site VPN can use either PSK or certificates to authenticate. A certificate is either rsa-sig or ecsda-sig (Suite-B NGE) they are issued by a PKI (aka Certificate Authority). You need a PKI (Public Key Infrastruture) in order to distribute the certificates to use for certificate authentication.

 

HTH

0 Helpful

Go to solution
Graham Bartlett
Cisco Employee
Cisco Employee

‎08-20-2018 05:35 AM

Hi
RSA-Sig is basically using RSA Nonces(which are only used in IKEv1, not IKEv2), take a look here;

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=5

In summary you have the peers public key, but this is just the key and not sent in a certificate (like in PKI). So you need to manually configure all peers public keys that you want to talk to. PKI overcomes this limitations by using a CA.

cheers

Go to solution
abhijith891
Level 1
Level 1
In response to Graham Bartlett

‎08-21-2018 05:01 AM

Thanks a lot Graham. Things are pretty clear now. Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents