Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Certificate Authority - IPsec VPN Tutorial Guide



When your opening a bank account, you have to take a form of ID from a reliable source such as a passport or driving licence; well a certificate authority (CA) provides this form of identity. We use digital signatures to form digital credentials that we use over the internet to authenticate the identity of a person sending data in an IPsec arrangement, and these digital certificates are provided by CA's such as Verisign and Thawte.

Verisign would send a certificate to each person or entity and digitally sign them with its (Verisign’s) private key that certifies the authenticity of the user or device. Certificates are then loaded and verified by end user’s.

For example, Joe wants to communicate with Carl and so Joe sends his certificate to Carl and Carl checks out the certificate's CA signature with Verisign. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the message is valid. Then Joe checks Carl’s certificate and if the certificate is fine and valid, the VPN process can be progressed.

All certificates are exchanged during the IPsec negotiation process. CA’s are the masterminds behind the public key infrastructure (PKI). The CA’s digital certificate is created with the CA’s private key; it’s the one that guarantees the authenticity.

Some examples of public CA's are Verisign, RSA, Entrust, Thawte, and Baltimore.

Digital signatures vs digital certificates

Looking further into digital certificates and digital signatures, the following provides the differences and the relationship between the two:

Digital signature – Links a message or data to a sender’s private key. On the receiving end, the encrypted hash can only be decrypted by using the sender’s public key. It is used to prove authenticity and to validate identity.

Digital certificate – Binds or links a person or a corporate entity to a private key. To be clear, this is not binding of the data or the message itself. This is an X.509 certificate which proves the entity is who it claims to be.

The relationship between a digital signature and a digital certificate is a certificate could be used to link or bind a person or entity to a digital signature. A certificate is like a person's driving licence, where a signature is like a person's credit card.

Further Reading

Wikipedia's guide to Certification Authority