Cisco Cisco Packet Data Gateway (PDG)
IPSec Certificates
CA Certificate Chaining ▀
IPSec Reference, StarOS Release 17 ▄
113
CA Certificate Chaining
Overview
Certificate chaining, also known as hierarchical CA cross certification, is a method by which an entity is authorized by
walking a sequence of intermediate As up to the trust-point CA. An intermediate CA is a certification authority under a
root CA, which is a self-signed authority.
walking a sequence of intermediate As up to the trust-point CA. An intermediate CA is a certification authority under a
root CA, which is a self-signed authority.
The sequence of root and intermediate certificates belonging to CA is called a “chain”. Each certificate in the chain is
signed by the subsequent certificate. In this scheme, the web server certificate (the one that is to be installed on the web
server where the user's site is hosted) is signed not by a root certificate directly but by one of the intermediates.
signed by the subsequent certificate. In this scheme, the web server certificate (the one that is to be installed on the web
server where the user's site is hosted) is signed not by a root certificate directly but by one of the intermediates.
Figure 12. Root and Intermediate CAs in Certificate Chaining
The peer entities may obtain a certificate from any of the root CAs or intermediate CAs. A certificate may be
authenticated by walking the chain up to a trust anchor, which may be either an intermediate CA or the root CA in the
chain.
authenticated by walking the chain up to a trust anchor, which may be either an intermediate CA or the root CA in the
chain.
When an entity sends its certificate to the peer, it must also send all the certificates in the chain up to the trust anchor
requested by the peer, not including the trust anchor certificate itself.
requested by the peer, not including the trust anchor certificate itself.
StarOS only supports X.509 Certificate encoding when sending certificates with a maximum certificate chain length of
4. The length of the certificate chain is defined as the number of all certificates in the chain, including the entity and
intermediate CA certificates, but excluding the trust anchor certificate.
4. The length of the certificate chain is defined as the number of all certificates in the chain, including the entity and
intermediate CA certificates, but excluding the trust anchor certificate.