An increasing number of certificate-based VPN connections are being used to provide secure communications via public networks. The high levels of security provided by certificates comes at the price of significantly higher levels of effort in the administration and distribution of certificates. Most of this effort arises at branch offices or home offices within a geographically dispersed network structure.
A VPN router requires the following components to establish a certificate-based VPN connection from a remote site to the network at the headquarters:
- The Root CA's certificate with the CA's public key. The headquarters also requires a certificate issued by the same CA.
- The device's own certificate with its own public key. This certificate is signed with the CA's private key and serves identity confirmation.
- Own private key.
In the case of a conventionally structured VPN with certificates, the keys and certificates have to be loaded into each device manually and exchanged before they expire. The Simple Certificate Enrollment Protocol (SCEP) enables a secure and automatic distribution of certificates via a suitable server, so reducing the effort of roll-out and maintaining certificate-based network structures. There is no need for an external application to generate the key pair and subsequently transfer it to the device. Instead, the key pair is generated directly by the VPN router itself; the private portion of the key never has to leave the device, which results in a significant gain in security. A VPN router can automatically retrieve the CA root certificate and its own certificate from a central location.
