For the certificate-based establishment of VPN connections, the following are stored to the file system in the device: A private key, a device certificate, and the CA certificate. With single-layer certificate solutions this can be handled with the individual files or with a PKCS#12 file. After uploading and entering the password, a container is separated into the three components indicated above.
In the case of a multi-level certificate hierarchy, however, a PKCS#12 container has to be used that includes the CA certificates from all levels in the certificate chain. After uploading and entering the password, the private key, the device certificate and the certificate from the next CA "above" the device are unpacked—the other certificates remain in the PKCS#12 container. The unpacked certificates and the certificates from the container are imported when the VPN configuration is updated. A remote station establishing a VPN connection transfers its own device certificate only and not the entire chain. The device then checks this certificate against the hierarchy available to it.
