I'm currently studying IKE and IPsec in the context of VPN applications and I know that a X.509 certificate is used to provide server's public key to the client (and vice-versa in case of mutual authentication). It happens in IKE phase I.
However, I found references to another "kind" of X.509 certificate in RFC2528. It specifies how KEA (Key Exchange Agreement) Keys should be stored in X.509 V3 certificates (subjectPublicKeyInfo). Yet, I could not understand when this kind of certificate is used.
I indeed verified that pfSense, the software I'm using to configure VPN server, requires a PEM certificate to be sent as end entity certificate to the VPN client. It does not require or mention additional certificate for key exchange though.
Is it built on-the-fly or this kind of certificate is not used in this context?
I appreciate any clarification on this topic.
Thanks!
