understanding how cas help to configure ike requires understanding something about public/private key encryption. public/private keys, also called asymmetric keys, are a pair of keys with the property that data encrypted with one key can only be unencrypted using the other key. this property has been used to solve the scalability problem encountered when sharing secrets over a non-secure network.

    after generating a public/private key pair, one key is kept secret (the private key) and the other key is made easily available (the public key). when any peer needs to share a secret with the owner of the private key, it simply encrypts the information using the public key. the only way to unencrypt the original information is by using the private key. using this method, encrypted information can be shared over a non-secure network without transmitting the secret key required to decipher the encrypted information.this unique property of public/private key pairs also provides an excellent method of authentication. a public key only unencrypts a message encrypted with the corresponding private key. if a message can be read using a given public key, you know for certain that the sender of the message owns the corresponding private key.

    this is where the ca comes in. a public key certificate, or digital certificate, is used to associate a public/private key pair with a given ip address or host name. a certification authority (ca) issues public key certificates for a specific period of time. a ca can be a private (in-house) ca, run by your own organization, or a public ca. a public ca, like verisign, is operated by a third-party that you trust to validate the identity of each client or server to which it issues a certificate.

    digital certificates are used by the ike protocol to create the first pair of sas, which provide a secure channel for negotiating the ipsec sas. to use certificates for negotiating ike sas, both ipsec peers have to generate public/private key pairs, request and receive public key certificates, and be configured to trust the ca that issues the certificates.

    most browsers, be default, trust certificates from well-known cas, such as verisign, and provide options for adding cas, and for generating and requesting a digital certificate. you can also preconfigure browser software before it is distributed to users with your ca and the necessary certificates.

    the procedure for configuring pix firewall to use ike with digital certificates is described in "using certification authorities" in "basic vpn configuration."