The ENC Gateway uses X.509 v3 certificates that are issued for use by the standard TLS 1.0 (SSL 3.1) security protocol. The ENC Gateway can use standard TLS certificates, but also supports an extended key usage extension to allow the ENC subsystem to identify certificates that are primarily for use by the ENC Gateway.
The ENC Gateway searches for the best certificate to load for its identity. On the first pass through, it looks for valid certificates (with associated private keys) that are marked with the CA ENC usage extension (see (1) in the following table) as well as the TLS usage extension for client authentication (2), or server authentication (3), respectively (4).
The following table provides some additional details about the terms marked with (1) to (4) in the above paragraph:
|
Marker |
Information |
|---|---|
|
(1) |
CA Technologies has internally allocated an object identifier (OID) to be used in X.509 v3 certificates as an enhanced key usage identifier (see RFC2459 section 4.2.1.13). This OID indicates that the certificate is for use by the ENC security subsystem.
|
|
(2) |
The OID for TLS client authentication is “1.3.6.1.5.5.7.3.2” |
|
(3) |
The OID for TLS server authentication is “1.3.6.1.5.5.7.3.1” |
|
(4) |
For ENC Gateway nodes that act as both a client and a server (routers and Gateway servers), the security subsystem can use either a single certificate marked for client plus server authentication, or individual certificates marked as client authentication only and server authentication only, respectively. |
If the ENC Gateway does not find appropriate certificates, it repeats the search without the requirement of the CA ENC usage extension.
When you create certificates for use by the ENC Gateway, we recommend that you add the CA extended key usage OID to the certificates; however, the ENC Gateway will operate without.
|
Copyright © 2013 CA.
All rights reserved.
|
|