beautypg.com

Westermo MR Series User Manual

Page 388

background image

388

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

The remote unit must have copies of CERT01.PEM and PRIVRSA.PEM. In addition, any Eroutes that
are going to use certificates for authentication should be configured as follows:

Our ID

Should be set to “[email protected]”. This is the same as the subject “Altname” in certifi-
cate CERT01.PEM which makes it possible for the router to locate the correct certificate to
send to the host.

Authentication Method

Should be set to RSA Signatures. This indicates to IKE that RSA signatures (certificates) are to
be used for authentication.

When IKE receives a signature from a remote unit, it needs to be able to retrieve the correct
public key so that it can decrypt the signature, and confirm that the signature is correct. The
certificate must either be on the FLASH file system, or be provided by the remote unit as part
of the IKE negotiation. The ID provided by the remote unit is used to find the correct certificate
to use. If the correct certificate is found, the code then checks that it has been signed by one of
the certificate authority certificates (CA*.PEM) that exist on the unit. The code first checks the
local certificates, and then the certificate provided by the remote (if any). IKE will send a certifi-
cate during negotiations if it is able to find one that has subject “AltName” that matches the ID
being used. If not able to locate the certificate, then the remote must have local access to the
file so that the public key can be retrieved.

A typical set-up may be that the host unit has a copy of all certificates. This means that the
remote units only require the private key, and the certificate authority certificate. This eases
administration as any changes to certificates need only be made on the host. Because they do
not have a copy of their certificate, remote units rely on the host having a copy of the cer-
tificate. An alternative is that the remote units all have a copy of the certificate, as well as the
private key and certificate authority certificate, and the host only has its own certificate. This
scenario requires that the remote unit send its certificate during negotiations. It can validate the
certificate because it has the certificate authority certificate.

This manual is related to the following products:
See also other documents in the category Westermo Equipment: