Nortel 4134 Guia Do Utilizador
Digital Certificates in IKE
53
The SR4134 uses LDAP to download the CRL periodically from the CA
and store it locally so that the validity of certificates can be verified during
negotiation. The SR4134 also supports certificate validation using OCSP.
and store it locally so that the validity of certificates can be verified during
negotiation. The SR4134 also supports certificate validation using OCSP.
Certificate validation using OCSP
Online Certificate Status Protocol (OCSP) is an alternative to the CRL
approach for verifying the validity of a digital certificate.
approach for verifying the validity of a digital certificate.
In the CRL method, there can be a lag between the CA publishing an
updated CRL and the SR4134 downloading the same CRL, creating a
window of vulnerability. In this period, the router does not have a fool proof
mechanism for validating the certificate. OCSP is used to overcome this
vulnerability.
updated CRL and the SR4134 downloading the same CRL, creating a
window of vulnerability. In this period, the router does not have a fool proof
mechanism for validating the certificate. OCSP is used to overcome this
vulnerability.
In the OCSP method, for each certificate that the router receives, the
gateway proactively contacts the CA or the approved third party and
requests the status of the certificate in question. Based on the response of
the provider, the gateway makes a decision to accept the certificate or not.
gateway proactively contacts the CA or the approved third party and
requests the status of the certificate in question. Based on the response of
the provider, the gateway makes a decision to accept the certificate or not.
The SR4134 runs an OCSP client and the CA or an approved third party
runs the OCSP server. OCSP uses HTTP for transport.
runs the OCSP server. OCSP uses HTTP for transport.
Certificate enrollment using SCEP client
Since the secure router needs to present a mutually-trusted certificate to
a peer, it needs access to the self certificate (the certificate of the secure
router itself), the certificate of the issuing authority and the certificate of
every CA above that up to the root CA.
a peer, it needs access to the self certificate (the certificate of the secure
router itself), the certificate of the issuing authority and the certificate of
every CA above that up to the root CA.
To obtain a digital certificate from the CA online, the SR4134 supports
Simple Certificate Enrollment Protocol (SCEP). The SR4134 uses SCEP to
obtain the certificates once and then stores them locally.
Simple Certificate Enrollment Protocol (SCEP). The SR4134 uses SCEP to
obtain the certificates once and then stores them locally.
The secure router supports the SCEP client while the CA runs a SCEP
server. SCEP uses HTTP for transport.
server. SCEP uses HTTP for transport.
The SR4134 obtains a certificate using SCEP as follows:
•
The router creates a public/private key pair.
•
The router sends the public key to the CA, requesting the CA certificate
from the CA.
from the CA.
•
The router generates a request for a self certificate and submits the
request to the CA.
request to the CA.
•
The CA verifies the certificate request and sends a signed certificate
to the router.
to the router.
•
The router stores the CA certificate and self certificate in the PKI
database for future use.
database for future use.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.