Problem solve Get help with specific problems with your technologies, process and projects.

How Kerberos, PKI and IPsec interoperate

In this Ask the Expert Q&A, our identity and access management expert explains how these three unrelated systems interoperate to authenticate and manage digital certificates.

Are Kerberos, PKI and IPsec interoperable?

Yes, all three are interoperable. The real question is, how? Since these are three separate and totally unrelated...

systems, let's examine each.

PKI (public key infrastructure), is a repository and management system for digital certificates. It can be the central authority in an organization for issuing, managing, storing, verifying, distributing and (eventually) retiring such certificates.

IPsec is a secure encrypted tunnel between two hosts communicating openly over the Internet. It's used in VPNs (virtual private networks) to provide authentication and confidentiality for traffic sent between the hosts.

Kerberos is an intricate encryption system that uses a series of tickets created and distributed by a central Kerberos server. It maintains security by issuing unique tickets for each session and transaction. Windows 2000, Windows XP and Windows 2003 Server are examples of systems that can use Kerberos.

How does it all come together? IPsec can use Kerberos for authentication and PKI to manage its digital certificates. There are packages available for mixing, matching and integrating all three systems. However, before any implementation, you should thoroughly evaluate their impact on the performance of your systems. You should also look at the number of users you have and their needs.

Each of the three systems has its pluses and minuses. PKI is not universal, Kerberos can be tricky to implement and install, and IPsec can be successfully set up without using either. Again, the best advice is to evaluate and plan before implementation.

More Information

This was last published in November 2005

Dig Deeper on PKI and digital certificates