Amer Networks E5Web GUI User Manual

Between creating the request and importing the signed certificate file, the certificate object
has a Type set to the value Request.

These functions are described in detail in an appendix of the separate InControl Administration
Guide.

Certificates with VPN Tunnels

The main usage of certificates in cOS Core is with VPN tunnels. The simplest and fastest way to
provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a VPN network
grows so does the complexity of using PSKs. Certificates provide a means to better manage
security in much larger networks.

Certificate Authorities

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA
digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of
the certificate holder, and guarantees that the certificate has not been tampered with by any
third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It
also has to make sure that the identity of the certificate matches the identity of the certificate
holder.

Certificate Chains

A CA can also issue certificates to other CAs. This leads to a chain-like certificate hierarchy. The
highest certificate is called the Root Certificate and it is signed by the Root CA. Each certificate in
the chain is signed by the CA of the certificate directly above it in the chain. However, the root
certificate is signed by itself (it is "self-signed"). Certificates in the chain between the root
certificate and the end certificate are called Intermediate Certificates.

A Certification Path refers to the path of certificates from one certificate to another. When
verifying the validity of a user certificate, the entire path from the user certificate up to the
trusted root certificate has to be examined before establishing the validity of the user certificate.

The CA certificate is just like any other certificate, except that it allows the corresponding private
key to sign other certificates. Should the private key of the CA be compromised, the whole CA,
including every certificate it has signed, is also compromised.

Chained certificates are supported in the following cOS Core features:

•

Access with HTTPS to the Web Interface.

•

IPsec VPN.

•

SSL VPN.

•

The TLS ALG.

In cOS Core IPsec VPN, the maximum length of a certificate chain is 4. In VPN scenarios with
roaming clients, the client's certificate will be the bottom of the certificate chain.

Validity Time

A certificate is not valid forever. Each certificate contains values for two points in time between

Chapter 3: Fundamentals

224