beautypg.com

Ca server access – Amer Networks E5Web GUI User Manual

Page 646

background image

9.7. CA Server Access

Overview

Certificate validation can be done by accessing a separate Certifícation Server (CA) server. For
example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup
negotiation and either may then try to validate the received certificate.

A certificate contains a URL (the CRL Distribution Point) which specifies the validating CA server
and server access is performed using an HTTP GET request with an HTTP reply. (This URL is more
correctly called an FQDN - Fully Qualified Domain Name.)

CA Server Types

CA servers are of two types:

A commercial CA server operated by one of the commercial certificate issuing companies.
These are accessible over the public Internet and their FQDNs are resolvable through the
public Internet DNS server system.

A private CA server operated by the same organization setting up the VPN tunnels. The IP
address of a private server will not be known to the public DNS system unless it is explicitly
registered. It also will not be known to an internal network unless it is registered on an
internal DNS server.

Access Considerations

The following considerations should be taken into account for CA server access to succeed:

Either side of a VPN tunnel may issue a validation request to a CA server.

For a certificate validation request to be issued, the FQDN of the certificate's CA server must
first be resolved into an IP address. The following scenarios are possible:

1.

The CA server is a private server behind the Clavister Security Gateway and the tunnels
are set up over the public Internet but to clients that will not try to validate the
certificate sent by cOS Core.

In this case, the IP address of the private server needs only be registered on a private
DNS server so the FQDN can be resolved. This private DNS server will also have to be
configured in cOS Core so it can be found when cOS Core issues a validation request.
This will also be the procedure if the tunnels are being set up entirely internally without
using the public Internet.

2.

The CA server is a private server with tunnels set up over the public Internet and with
clients that will try to validate the certificate received from cOS Core. In this case the
following must be done:

a.

A private DNS server must be configured so that cOS Core can locate the private CA
server to validate the certificates coming from clients.

b.

The external IP address of the Clavister Security Gateway needs to be registered in
the public DNS system so that the FQDN reference to the private CA server in
certificates sent to clients can be resolved. For example, cOS Core may send a
certificate to a client with an FQDN which is ca.company.com and this will need to
be resolvable by the client to a public external IP address of the Clavister Security

Chapter 9: VPN

646

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: