It is a trivial task for a user to generate a structurally sound X.509
certificate, and use it to negotiate mutually authenticated connections
to publicly available services. However, this scenario is a security
nightmare for IT administrators. You can not allow every user to generate
their own certificate and use it on the Internet. For this reason, the
Enterprise Gateway can establish the authenticity of the client certificate by
ensuring that the certificate originated from a trusted source. To do
this, a server can perform a certificate chain check
on the client certificate.
The main purpose of certificate chain validation is to ensure that a
certificate has been issued by a trusted source. Typically, in a Public
Key Infrastructure (PKI), a Certificate Authority (CA) is responsible for
issuing and distributing certificates. This infrastructure is based on the
premise of transitive trust—if everybody trusts the CA,
everybody transitively trusts the certificates issued by that CA. If entities
only trust certificates that have been issued by the CA, they can reject
certificates that have been self-generated by clients.
When a CA issues a certificate, it digitally signs the certificate and
inserts a copy of its own certificate into it. This is called a
certificate chain. Whenever an application (such as the Enterprise Gateway)
receives a client certificate, it can extract the issuing CA certificate
from it, and run a certificate chain check to determine whether it should
trust the CA. If it trusts the CA, it also trusts the client certificate.
The Enterprise Gateway maintains a repository of trusted CA certificates, which is
known as the Certificate Store. To trust
a specific CA, that CA certificate must be imported into the Certificate
Store.
|