Implementing Digital Certificates
Certificate authority support

Cisco devices support the following open CA standards when implementing IPSec :

  • Internet Key Exchange (IKE) is a hybrid protocol that implements Oakley and Skeme key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
  • Public-Key Cryptography Standard #7 (PKCS #7) is a standard from RSA Data Security, Inc. used to encrypt, sign, and package certificate enrollment messages.
  • Public-Key Cryptography Standard #10 (PKCS#10) A standard syntax from RSA Data Security, Inc. for certificate requests.
  • RSA keys come in pairs. Each pair consists of one public key and one private key .
  • X.509v3 certificate support allows the IPSec-protected network to scale by providing the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange digital certificates to prove their identity, thus removing the need to manually exchange public keys with each peer or to manually specify a shared key at each peer. These certificates are obtained from a CA. X.509 as part of the X.500 standard.
  • CA interoperability permits Cisco IOS devices and CAs to communicate so that Cisco IOS devices can obtain and use digital certificates from the CA. Although IPSec can be implemented on a network without the use of a CA, using a CA with SCEP provides manageability and scalability for IPSec.

Restrictions
The following restrictions apply when configuring a CA:

  • This feature should be configured only when both IPSec and ISAKMP are configured in the network.
  • The Cisco IOS software does not support CA server public keys greater than 2048 bits.

Prerequisites
A CA must be available to the network before configuring this interoperability feature. The CA must support Cisco Systems PKI protocol, the Simple Certificate Enrollment Protocol (SCEP). SCEP was formerly called certificate enrollment protocol (CEP).


Web Links