There is something that bothers me when I think of the CA certificate and the local certificate.
Below are my questions related to juniper, but which can also be general.
1) "Request security pki ca certificate register ca profile ROOT2" The above is used to get the CA certificate from the CA server if I am not mistaken. And the same (certificate) is used to confirm that it is actually a trusted CA server. But what does the certificate actually contain? How does the device know that it is the intended CA server?
The diagram above shows how the recipient receives the certificate and decrypts it using the public key of the certification authority. But how does the recipient know about the public key and the hash algorithm?
-> Is this negotiated separately before it all happens?
-> And does that happen in plain text?
-> And is it also a one-off thing, since the CA certificate is loaded onto the router and is used only once to authenticate the CA server or is used again during any period of traffic flow between the IPSec peers?
2) "Security request pki local certificate register certificate ID"
In the above step, the VPN peer requests a local certificate.
-> Is the CA server informed about the peer's public key during this step or is it exchanged early?
-> And does the above diagram also apply to the local certificate? In this case, the certificate contains the peer's public key and other information such as subject, etc. Does it have a hash to create a "fingerprint / digest" and re-encrypt it with its private key?
-> And if the above process is correct, do the peers recheck the integrity and authenticity of the local certificate by decrypting with the public key of the certification authority and then only sending it to the other peer? If not, does it send the received local certificate directly to the peer?
I couldn't get the answers to the questions asked above.
Please help me understand the same. Thanks in advance.