Implementing IPsec With CAs
With a CA, you do not have to configure keys between all the encrypting devices. Instead, you individually
enroll each participating device with the CA, requesting a certificate for the device. When this has been
accomplished, each participating device can dynamically authenticate all the other participating devices. This
process is illustrated in the illustration.
To add a new IPsec device to the network, you need only configure that new device to request a certificate
from the CA, instead of making multiple key configurations with all the other existing IPsec devices.
Implementing IPsec with Multiple Root CAs
With multiple root CAs, you no longer have to enroll a device with the CA that issued a certificate to a peer.
Instead, you configure a device with multiple CAs that it trusts. Thus, a device can use a configured CA (a
trusted root) to verify certificates offered by a peer that were not issued by the same CA defined in the identity
of the device.
Configuring multiple CAs allows two or more devices enrolled under different domains (different CAs) to
verify the identity of each other when using IKE to set up IPsec tunnels.
Through Simple Certificate Enrollment Protocol (SCEP), each device is configured with a CA (the enrollment
CA). The CA issues a certificate to the device that is signed with the private key of the CA. To verify the
certificates of peers in the same domain, the device is also configured with the root certificate of the enrollment
CA.
To verify the certificate of a peer from a different domain, the root certificate of the enrollment CA in the
domain of the peer must be configured securely in the device.
During Internet Key Exchange (IKE) phase one signature verification, the initiator will send the responder a
list of its CA certificates. The responder should send the certificate issued by one of the CAs in the list. If the
certificate is verified, the device saves the public key contained in the certificate on its public key ring.
With multiple root CAs, VPN users can establish trust in one domain and easily and securely distribute it to
other domains. Thus, the required private communication channel between entities authenticated under different
domains can occur.
How CA Certificates Are Used by IPsec Devices
When two IPsec devices want to exchange IPsec-protected traffic passing between them, they must first
authenticate each other—otherwise, IPsec protection cannot occur. The authentication is done with IKE.
Without a CA, a device authenticates itself to the remote device using either RSA-encrypted nonces or preshared
keys. Both methods require that keys must have been previously configured between the two devices.
With a CA, a device authenticates itself to the remote device by sending a certificate to the remote device and
performing some public key cryptography. Each device must send its own unique certificate that was issued
and validated by the CA. This process works because the certificate of each device encapsulates the public
key of the device, each certificate is authenticated by the CA, and all participating devices recognize the CA
as an authenticating authority. This scheme is called IKE with an RSA signature.
Your device can continue sending its own certificate for multiple IPsec sessions, and to multiple IPsec peers
until the certificate expires. When its certificate expires, the device administrator must obtain a new one from
the CA.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1144
Information About Certification Authority
To Next Page
Loading...
Need help?
General
