Implementing Certification Authority Interoperability on Cisco IOS XR Software
How to Implement CA Interoperability
SC-5
Cisco IOS XR System Security Configuration Guide
During IKE phase one signature verification, the initiator will send the responder a list of its CA
certificates. The responder should send the certificate issued by one of the CAs in the list. If the
certificate is verified, the router saves the public key contained in the certificate on its public key ring.
With multiple root CAs, Virtual Private Network (VPN) users can establish trust in one domain and
easily and securely distribute it to other domains. Thus, the required private communication channel
between entities authenticated under different domains can occur.
How CA Certificates Are Used by IPSec Devices
When two IPSec routers want to exchange IPSec-protected traffic passing between them, they must first
authenticate each other—otherwise, IPSec protection cannot occur. The authentication is done with IKE.
Without a CA, a router authenticates itself to the remote router using either RSA-encrypted nonces or
preshared keys. Both methods require keys to have been previously configured between the two routers.
With a CA, a router authenticates itself to the remote router by sending a certificate to the remote router
and performing some public key cryptography. Each router must send its own unique certificate that was
issued and validated by the CA. This process works because the certificate of each router encapsulates
the public key of the router, each certificate is authenticated by the CA, and all participating routers
recognize the CA as an authenticating authority. This scheme is called IKE with an RSA signature.
Your router can continue sending its own certificate for multiple IPSec sessions and to multiple IPSec
peers until the certificate expires. When its certificate expires, the router administrator must obtain a new
one from the CA.
When your router receives a certificate from a peer from another domain (with a different CA), the
certificate revocation list (CRL) downloaded from the CA of the router does not include certificate
information about the peer. Therefore, you should check the CRL published by the configured trustpoint
with the Lightweight Directory Access Protocol (LDAP) URL to ensure that the certificate of the peer
has not been revoked.
To query the CRL published by the configured trustpoint with the LDAP URL, use the query url
command in trustpoint configuration mode.
CA Registration Authorities
Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a
server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
How to Implement CA Interoperability
This section contains the following procedures:
• Configuring a Router Hostname and IP Domain Name, page SC-6 (required)
• Generating an RSA Key Pair, page SC-7 (required)
• Declaring a Certification Authority and Configuring a Trusted Point, page SC-8 (required)
• Authenticating the CA, page SC-10 (required)
• Requesting Your Own Certificates, page SC-11 (required)
• Configuring Certificate Enrollment Using Cut-and-Paste, page SC-12
To Next Page
Loading...
Need help?
General
