Panasonic NN46110-600 User Manual

Chapter 3 Using certificates 85

Figure 14

CA Key Update ready for authentication

Prior to a key update, the original CA certificate (which is a self-signed root

certificate in the diagram above) is pushed out to the directory by the CA, along
with the CRL it produced (a list of revoked certificates, digitally signed by the CA
certificate). Both the VPN Router and the user’s PC have certificates signed by

that CA, as well as the self-signed CA certificate itself. The user authenticates the

VPN Router certificate because it has the original CA certificate that created the
VPN Router certificate stored locally. Likewise, the VPN Router authenticates the

user because it has the CA certificate that issued the user certificate. The VPN
Router can also verify that the user’s certificate is not revoked, because it was

configured to periodically retrieve the latest CRL from the directory. It can

authenticate that CRL because it has the CA certificate that signed it.

After a CA Key Update occurs, the directory contains four certificates:

•

the original self-signed

•

the new self-signed

•

two cross certificates

From this point forward, all CRL’s issued by the CA are signed by the updated

CA.

Nortel VPN Router Security — Servers, Authentication, and Certificates