HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 441

When the peer receives the digital certificate, it extracts the host's public key
and hash function. It decrypts and unhashes the signature and compares it to
the certificate. If they match, the peer knows that no one has tampered with
the certificate en route.
In order to fully authenticate a host, the peer must also have the CA's certificate
in its system. This certificate includes the CA's public key, which the peer uses
to verify the CA's signature. A genuine CA signature attests that the holder of
a certificate is who it says it is. Your CA should also issue you a certificate
revocation list (CRL), which lists current and expired certificates of hosts that
you trust to access your VPN.
Because a host can freely distribute its public key, it can authenticate itself to
anyone who trusts its CA. However, no one can pose as the host because only
the host's unshared, private key can encrypt and "sign" the certificate.
In summary, digital certificates present two important security advantages
over preshared keys:
A host can authenticate itself to anyone who accepts the integrity of its
CA, not just to those with whom it entrusts a shared secret.
Because a host can authenticate itself without having to share its private
key, it need never expose the key, verbally, in writing, or over the Internet.
The entire system for authentication with digital certificates—the individual
hosts, their certificates, and trusted CAs—is called the public key infrastruc-
ture (PKI).
CAs. The first step in obtaining a certificate is selecting a CA. In some ways,
the CA is the most vulnerable point in the PKI. Digital certificates rely on
robust algorithms and asymmetric keys that hackers cannot crack. However,
strong certificates do not protect against a hacker who obtains a certificate
using false credentials because the certificate itself is valid. For this reason,
it is very important that your CA be reputable and trusted. It should have
vigorous standards for ensuring that it issues certificates only to hosts sub-
mitting their own authentic information.
Digital Signature Standards. CAs can use one of several algorithms to
encrypt data. The ProCurve Secure Router supports:
Digital Signature Standard (DSS)
Rivest-Shamir-Adleman Signature (RSA)
DSS, which is the U.S. government authentication standard, uses the Digital
Signature Algorithm (DSA) to create public and private keys.
Virtual Private Networks
Configuring a VPN Using IPSec
8-55