Filter
Top Products
25-47
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Understanding Public Key Infrastructure Policies
Security Manager supports IPsec configuration with Certification Authority (CA) servers that manage
certificate requests and issue certificates to devices in your VPN topology. You can create a Public Key
Infrastructure (PKI) policy to generate enrollment requests for CA certificates and RSA keys, and
manage keys and certificates, providing centralized key management for the participating devices.
CA servers, also known as trustpoints, manage public CA certificate requests and issue certificates to
participating IPsec network devices. When you use Certificates as the authentication method for IKE and
IPsec proposal policies, peers are configured to obtain digital certificates from a CA server. With a CA
server, you do not have to configure keys between all the encrypting devices. Instead, you individually
enroll each participating device with the CA server, which is explicitly trusted to validate identities and
create a digital certificate for the device. When this has been accomplished, each participating peer can
validate the identities of the other participating peers and establish encrypted sessions with the public
keys contained in the certificates.
CAs can also revoke certificates for peers that no longer participate in an IPsec VPN topology. Revoked
certificates are either managed by an Online Certificate Status Protocol (OCSP) server or are listed in a
certificate revocation list (CRL) stored on an LDAP server, which each peer can check before accepting
a certificate from another peer.
PKI enrollment can be set up in a hierarchical framework consisting of multiple CAs. At the top of the
hierarchy is a root CA, which holds a self-signed certificate. The trust within the entire hierarchy is
derived from the RSA key pair of the root CA. Subordinate CAs within the hierarchy can enroll with
either the root CA or with another subordinate CA. Within a hierarchical PKI, all enrolled peers can
validate each other’s certificate if the peers share a trusted root CA certificate or a common subordinate
CA.
Keep the following in mind:
• PKI policies can be configured on Cisco IOS routers running version 12.3(7)T and later, PIX
Firewalls, and Adaptive Security Appliance (ASA) devices for site-to-site and remote access VPNs.
• In site-to-site VPNs, you use the IKEv1 Public Key Infrastructure policy to identify CA servers for
IKEv1 negotiations only. For IKEv2 negotiations, you identify the CA servers in the IKEv2
Authentication policy as described in Configuring IKEv2 Authentication in Site-to-Site VPNs,
page 25-62.
• To save the RSA key pairs and the CA certificates between reloads permanently to Flash memory
on a PIX Firewall release 6.3, you must configure the ca save all command. You can do this
manually on the device or using a FlexConfig (see Chapter 7, “Managing FlexConfigs”).
CA Server Authentication Methods
You can authenticate the CA server using one of the following methods:
• Using the Simple Certificate Enrollment Protocol (SCEP) to retrieve the CA’s certificates from the
CA server. Using SCEP, you establish a direct connection between your device and the CA server.
Be sure your device is connected to the CA server before beginning the enrollment process. Because
this method of retrieving CA certificates for routers is interactive, you can deploy your PKI policy
to live devices only, not to files.
Note When using SCEP, you must enter the fingerprint for the CA server. If the value you enter
does not match the fingerprint on the certificate, the certificate is rejected. You can obtain
the CA’s fingerprint by contacting the server directly, or by entering the following address
in a web browser: http://<URLHostName>/certsrv/mscep/mscep.dll.