SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Digital Certificate exchange

Good evening,

i would like to check my understanding in PKI:

 

1-if we have 2 HOSTS (Host A and Host B) under same CA, what will happen is :

each Host will receive a local certificate and CA-certificate from the CA.

Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it ???????

 

 

2-If we have 2 Host under different CAs (CA-sales , CA-marketing) but of-course the 2 CAs under a common root-CA what will happend is :

-Host A will receive a local certificate and CA-certificate from CA-sales and also receive a CA-certificate from the Root-CA

-Host B will receive a local certificate and CA-certificate from CA-marketing and also receive a CA-certificate from the root-CA

-Host A will send  the local certificate and the CA-Certificate(CA-sales) to Host B

-Host B will use the Root CA-Certificate to validate the received CA-Certificate(CA-sales) and then will use the CA-Certificate(sales) to Validate the received local certifcate of Host A

Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: Digital Certificate exchange

Hello,

 

1) 'Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it' --- In simple terms you are right.

 

2) At no point of time Host sends the CA certificate to other host generally. It only sends the local certificate. The receiver checks whether he has a trust chain built.

 

e.g. Only if ''CA-Sales - CA-Root'' trust chain is built on Host A and ''CA-Marketing - CA Root'' chain is built on Host B (This generally happens when you load host and CA certificates on device) they will be able to authenticate each other based on their local certificates.

 

Regards,

 

Rushi

 

Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Digital Certificate exchange

That's soo confusing Smiley Sad 

When i was studying it was said that you may receive a certificate chain from a remote peer containing EE certificate and intermediate CA-certificates and you will use the common CA certificate to validate the top CA-certificate and then you will use this intermediate CA certificate to validate the next and so on til validate the end entity certificate Smiley Sad 

Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Digital Certificate exchange

Untitled.png

 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-pki-certificate-chain-unde...

 

i have been reading the same thing while studying ( understanding PKI ) 

please Mr. Rushi help me correct my understanding 

 

Distinguished Expert
Posts: 573
Registered: ‎08-23-2015
0 Kudos

Re: Digital Certificate exchange

Hello,

 

 

Your understanding is not entirely wrong. In simple words:-

 

* Recipient must maintain the certificate chain if it needs to secure authenticate peer when their Sub-CAs are different.

* Sender can send certificate chain (e.g. Local Cert + Sub Cert + Root Cert) but sender's chain will not be used generally to

  authenticate Sender unless receiver has trust relations with Sub Cert + Root Cert. This chain may be used to gather

  information like CRL but not authenticating sender.

 

So just because sender is sending Sub CA + Root CA, I (receiver) will not use those certificates for validating sender unless receiver also trusts Sub CA + Root CA (It has a chain).

 

Regards,

 

Rushi

Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Re: Digital Certificate exchange

im really upset with juniper explanation of stuff . Smiley Sad this is not the first time to keep studying a topic and find out that my understanding is wrong Smiley Mad

Highlighted
Distinguished Expert
Posts: 1,861
Registered: ‎06-06-2011
0 Kudos

Re: Digital Certificate exchange

Welcome to the real world. To be honest, sometimes "the other vendor" has a very clear and easy explanation of standard features. Which after getting a clear understanding, you just need to see how said feature is implemented on Junos.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]