[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: [Ipsec] help for IKEv2 and certificate chains
From: sanal p <maverick4ml () yahoo ! com>
Date: 2007-09-11 15:40:36
Message-ID: 298569.43746.qm () web44814 ! mail ! sp1 ! yahoo ! com
[Download RAW message or body]
Thats wonderful.. it was clearly explained and thanks
a lot..
--- Tero Kivinen <kivinen@iki.fi> wrote:
> sanal p writes:
> > Hi all,
> > I am working on IKEv2 with certificate
> chains. I
> > got some doubt here with CERTREQ and CERT payloads
> . I
> > have three 3 CA certificates and 1 server
> certificate
> >
> > rootCA --(signs)--> CA1 ---- (signs)---> CA2
> > ---(signs)---> serverCert
>
> So you have one CA configured as trusted root
> (rootCA), and then you
> have 2 intermediate CAs (CA1, CA2) and one end
> entity certificate
> called serverCert.
>
> > 1) In this case what should i send in the
> CERTREQ
> > Payload, should i send all certificates except
> > serverCert ? or anyone one of them.
>
> When you are sending CERTREQ, you send one CERTREQ
> payload for each
> trusted root CA you have. In your case you have only
> one, rootCA,
> meaning that you want the other end to provide you
> end entity
> certificate which is signed by the rootCA directly
> or by one or more
> intermediate CAs.
>
> When you are sending CERT payload the first CERT
> payload you send out
> MSUT contain the serverCert of your end, i.e. the
> certificate for the
> key you are using when signing the AUTH payload.
> After that you can
> include as many other certificates you like (i.e.
> CA1 and CA2) in any
> order. If the other end sent you CERTREQ for certain
> CA you should try
> to include certificates up to that point, but not
> including that cert
> (as the other end requested it, he must know that
> certificate
> already, so there is no point for you sending it to
> him).
>
> For example if the other end sent CERTREQ for the
> rootCA (i.e. you
> have same trusted root configured) you will include
> serverCert, CA1,
> CA2 (or serverCert, CA2, CA1, or serverCert, CA2, or
> just serverCert)
> to your reply. If the other end sent CERTREQ for the
> CA2, you simply
> reply with your serverCert.
>
> > I dont know about the real-world scenario of how
> > certificate chains are deployed. For verifying the
> > certificate(PDG certificate), do we need to have
> all
> > the intermediate CA's in the client side ?
>
> You can have all of them in the client side, or you
> can get them
> inline as a separate certificates, or you can get
> pointers for those
> (HASH and URL formats), or you might have other
> means to get them
> (ldap etc). For bigger chains there is not usually
> possibility to
> include all certs, as the packets get too big, and
> starts to get
> fragmented.
> --
> kivinen@safenet-inc.com
>
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims \
Stories at Yahoo! Games. http://sims.yahoo.com/
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic