52 IPsec VPN fundamentalsmore scalable solution than PreShared Key authentication. Each gatewayprovides a digital signature of the negotiation to the other side. Verificationof the signature provides authentication of the peers.In order to perform signature based authentication, each security gatewayneeds access to the public key of the peer. The public key information isexchanged between the gateways by exchanging digital certificates.A Public Key Infrastructure (PKI) is required to verify the authenticity of thepeers. The PKI assumes that a Certificate Authority that is trusted by bothpeers is available to create digital certificates.A Certificate Authority (CA) issues digital certificates conforming to theX.509 format. A digital certificate contains the credentials and public keyinformation of an entity that is endorsed by the CA using a digital signature.To validate the exchanged certificates, the two security gateways must havea mutually trusted CA.Each gateway can confirm that the CA validates the identity of the othermember. To validate the certificate of the peer, each member checks thecertificate revocation list (CRL) issued by the CA. If the peer certificate isnot on the CRL, then it is assumed to be valid.The maximum number of CA certificates supported on the SR4134 is 10.The maximum number of self certificates supported on the SR4134 is 10Internet X.509 PKI certificate and CRL profileThe SR4134 supports RFC2459, which describes the X.509 v3 certificateformat. The RFC also defines the X.509 v2 CRL format and extension set.The SR4134 only supports the following CRL extensions:• Key Usage• Subject Alternative Name• CRL Distribution PointsCertificate validationWith PKI, the security gateways need to verify the validity of the digitalcertificates exchanged during IKE negotiation. A certificate is revocable bythe CA for a variety of reasons, for example, at the request of a user if theprivate key is compromised.In order confirm the validity of the certificate, the CA periodically publishesa certificate revocation list (CRL) which contains the list of serial numbersof the revoked certificates.Nortel Secure Router 4134Security — Configuration and ManagementNN47263-600 01.02 Standard10.0 3 August 2007Copyright © 2007, Nortel Networks.