On Wed, Nov 25, 2009 at 06:09:48PM +0200, Harhit Tam wrote:
> Hello,
>
> I have two IPsec peers that shared self-signed certificates via a secure
> out-of-band channel.
This sort of deployment is not as uncommon as some might think.
> Where should I put the peer's certificate so that IKEv2 can use it for
> authentication?
>
> Is it the Peer Authorization Database?
The PAD isn't a certificate repository per se (from where your IKE gets its
certificates is really implementation-specific), but the PAD would be the
place to say (for example):
Upon seeing IKE identity <X>, verify with certificate <FOO>.
where <X> is either the Distinguished Name or one of the Subject Alternative
Names of the certificate <FOO>.
The PAD is where you say to trust the self-signed certificate. Where the
certificate actually resides is up to your implementation.
Hope this helps,
Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
