About IPsec Certificates

You can configure IKE to use digital certificates for authentication during phase 1. Digital certificates are usually more secure than preshared keys because they cannot be leaked.

A certificate includes (among other information):

  • A subject name, which identifies the endpoint

  • The host's public key

  • The CA's signature

The VPN tunnel endpoints must trust the CAs that sign each other's certificates; therefore, each tunnel endpoint must have a CA Certificate Authority root certificate from the other endpoint's CA.

The Threat Management Services (TMS) zl Module supports X.509 certificates in DER Distinguished Encoding Rules or PEM Privacy Enhanced Mail format. For the public/private keypair, it supports DSA Digital Signature Algorithm and RSA Rivest-Shamir-Adleman.

You can import certificates to the TMS zl Module manually or you can obtain them automatically using SCEP Simple Certificate Enrollment Protocol.