Digital Certificates - VPN Tutorial
Public Key Authentication
Like Pre-shared keys, using digital certificates is another way to prove you are authenticated. It proves you are who you say you are, or your VPN Firewall is who it says it is. A digital certificate is an electronic document and is obtained by a reputable Certification Authority (CA) who manages such certificates. Verisign is an example of a Certification Authority. If two peers accept each other’s digital certificates, they trust each others identity, though they trust that the opposite peer is who they say they are.
When a CA issues a certificate to a VPN device then it is guaranteeing the VPN device is who it claims to be and it does this by signing the certificate it assigns and provides to the VPN device.
A real life comparison would be like humans having identity cards such as a driving licence, a passport, etc. A digital certificate plays the same role for authenticating devices proving they are who they say they are by exposing their certificates (Their version of a passport/driving licence) to peer devices.
Remember that the certificates presented and it’s certificate authority who issued the certificate must be trusted. If a remote party does not trust your certificate authority or does not know your CA, then your identity may not be trusted. Certificates issued by a known provider such as Verisign is going to be trusted by everyone, but certificates issued by small CA’s could easily not be trusted.
In a real world scenario, if you were shown ID from a human being using their DVLA driving license you would feel confident they are who they say they are, having an ID issued by DVLA. However on the other hand if they were to show you their employee ID from company Joe Bloggs, or some other random ID you would most likely feel a little suspicious.
How this works is, you are issued a certificate from a CA. When you pass your certificate to a peer, they check your certificate against the CA certificate which is cryptographically tied with your certificate, and if they match, then the remote peer would trust your identity. You would also take the same steps in checking your remote peer’s identity.
Wikipedia's guide to Public Key Certificates