Digital certificates for VPN connections

You can use digital certificates as a means of establishing an IBM® i VPN connection. Both endpoints of a dynamic VPN connection must be able to authenticate each other before activating the connection.

Endpoint authentication is done by the Internet Key Exchange (IKE) server on each end. After successful authentication, the IKE servers then negotiate the encryption methodologies and algorithms they will use to secure the VPN connection.

One method that the IKE servers can use to authenticate each other is a pre-shared key. However, the use of a pre-shared key is less secure because you must communicate this key manually to the administrator of the other endpoint for your VPN. Consequently, there is a possibility that the key could be exposed to others during the process of communicating the key.

You can avoid this risk by using digital certificates to authenticate the endpoints instead of using a pre-shared key. The IKE server can authenticate the other server's certificate to establish a connection to negotiate the encryption methodologies and algorithms the servers will use to secure the connection.

You can use Digital Certificate Manager (DCM) to manage the certificates that your IKE server uses for establishing a dynamic VPN connection. You must first decide whether to use public certificates versus issuing private certificates for your IKE server.

Some VPN implementations require that the certificate contain alternative subject name information, such as a domain name or an e-mail address, in addition to the standard distinguished name information. When you use the local CA in DCM to issue a certificate you can specify alternative subject name information for the certificate. Specifying this information ensures that your VPN connection is compatible with other VPN implementations that may require it for authentication.