Cisco Cisco Packet Data Gateway (PDG) Folheto
IPSec Certificates
CA Certificate Chaining ▀
Cisco StarOS IP Security (IPSec) Reference ▄
115
Cert. Data in the Payload – Peer Cert. Intm CA1_1, StarOS Certificate root CA1
1. StarOS sends IKE_SA_INIT to the peer.
2. Peer sends IKE_SA_INIT to StarOS. This message includes CERTREQ with Encoding = “X.509 Certificate -
Signature” and Certification Authority = “Hash of public key info of CA1_1 and CA1 in any order”.
3. StarOS sends IKE_AUTH to peer. StarOS includes one CERT payload with requested encoding type, and the
entity certificate issued by CA1. StarOS includes CERTREQ with Encoding = “X.509 Certificate - Signature”
and Certification Authority = “Hash of public key info of CA1”.
and Certification Authority = “Hash of public key info of CA1”.
4. Peer sends IKE_AUTH to StarOS. Peer includes two CERT payloads, with Encoding = “X.509 Certificate -
Signature”, and (1) the entity certificate data, and (2) certificate data of CA1_1.
External Interfaces
Support for “Hash & URL” of certificates/bundle requires HTTP or FTP interfaces to download the data which is
implemented separately. OCSP verification of certificates also includes a TCP connection to the OCSP server during
verification.
implemented separately. OCSP verification of certificates also includes a TCP connection to the OCSP server during
verification.