SRX Services Gateway
Highlighted
SRX Services Gateway

Digital Certificate exchange

06.05.17   |  
‎06-05-2017 04:54 PM

Good evening,

i would like to check my understanding in PKI:

 

1-if we have 2 HOSTS (Host A and Host B) under same CA, what will happen is :

each Host will receive a local certificate and CA-certificate from the CA.

Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it ???????

 

 

2-If we have 2 Host under different CAs (CA-sales , CA-marketing) but of-course the 2 CAs under a common root-CA what will happend is :

-Host A will receive a local certificate and CA-certificate from CA-sales and also receive a CA-certificate from the Root-CA

-Host B will receive a local certificate and CA-certificate from CA-marketing and also receive a CA-certificate from the root-CA

-Host A will send  the local certificate and the CA-Certificate(CA-sales) to Host B

-Host B will use the Root CA-Certificate to validate the received CA-Certificate(CA-sales) and then will use the CA-Certificate(sales) to Validate the received local certifcate of Host A

6 REPLIES
SRX Services Gateway

Re: Digital Certificate exchange

06.05.17   |  
‎06-05-2017 06:24 PM

Hello,

 

1) 'Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it' --- In simple terms you are right.

 

2) At no point of time Host sends the CA certificate to other host generally. It only sends the local certificate. The receiver checks whether he has a trust chain built.

 

e.g. Only if ''CA-Sales - CA-Root'' trust chain is built on Host A and ''CA-Marketing - CA Root'' chain is built on Host B (This generally happens when you load host and CA certificates on device) they will be able to authenticate each other based on their local certificates.

 

Regards,

 

Rushi

 

SRX Services Gateway

Re: Digital Certificate exchange

06.05.17   |  
‎06-05-2017 06:42 PM

That's soo confusing Smiley Sad 

When i was studying it was said that you may receive a certificate chain from a remote peer containing EE certificate and intermediate CA-certificates and you will use the common CA certificate to validate the top CA-certificate and then you will use this intermediate CA certificate to validate the next and so on til validate the end entity certificate Smiley Sad 

SRX Services Gateway

Re: Digital Certificate exchange

06.05.17   |  
‎06-05-2017 07:00 PM

Untitled.png

 

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-pki-certificate-chain-unde...

 

i have been reading the same thing while studying ( understanding PKI ) 

please Mr. Rushi help me correct my understanding 

 

SRX Services Gateway

Re: Digital Certificate exchange

06.05.17   |  
‎06-05-2017 07:34 PM

Hello,

 

 

Your understanding is not entirely wrong. In simple words:-

 

* Recipient must maintain the certificate chain if it needs to secure authenticate peer when their Sub-CAs are different.

* Sender can send certificate chain (e.g. Local Cert + Sub Cert + Root Cert) but sender's chain will not be used generally to

  authenticate Sender unless receiver has trust relations with Sub Cert + Root Cert. This chain may be used to gather

  information like CRL but not authenticating sender.

 

So just because sender is sending Sub CA + Root CA, I (receiver) will not use those certificates for validating sender unless receiver also trusts Sub CA + Root CA (It has a chain).

 

Regards,

 

Rushi

SRX Services Gateway

Re: Digital Certificate exchange

06.06.17   |  
‎06-06-2017 04:50 AM

im really upset with juniper explanation of stuff . Smiley Sad this is not the first time to keep studying a topic and find out that my understanding is wrong Smiley Mad

SRX Services Gateway

Re: Digital Certificate exchange

06.11.17   |  
‎06-11-2017 06:47 PM
Welcome to the real world. To be honest, sometimes "the other vendor" has a very clear and easy explanation of standard features. Which after getting a clear understanding, you just need to see how said feature is implemented on Junos.
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]