Cisco devices support the following open CA standards when
implementing IPSec
:
- Internet Key Exchange (IKE) is a hybrid protocol that implements Oakley and
Skeme key exchanges inside the ISAKMP framework. While IKE can be used with
other protocols, its initial implementation is with the IPSec protocol. IKE
provides authentication of the IPSec peers, negotiates IPSec keys, and
negotiates IPSec security associations.
- Public-Key Cryptography Standard #7 (PKCS #7) is a standard from RSA Data
Security, Inc. used to encrypt, sign, and package certificate enrollment
messages.
- Public-Key Cryptography Standard #10 (PKCS#10) A standard syntax from RSA
Data Security, Inc. for certificate requests.
- RSA keys come in pairs. Each pair consists of one public key and one
private key
.
- X.509v3 certificate support allows the IPSec-protected network to scale by
providing the equivalent of a digital ID card to each device. When two devices
wish to communicate, they exchange digital certificates to prove their
identity, thus removing the need to manually exchange public keys with each
peer or to manually specify a shared key at each peer. These certificates are
obtained from a CA. X.509 as part of the X.500 standard.
- CA interoperability permits Cisco IOS devices and CAs to communicate so
that Cisco IOS devices can obtain and use digital certificates from the CA.
Although IPSec can be implemented on a network without the use of a CA, using a
CA with SCEP provides manageability and scalability for IPSec.
Restrictions
The following restrictions apply when
configuring a CA:
- This feature should be configured only when both IPSec and ISAKMP are
configured in the network.
- The Cisco IOS software does not support CA server public keys greater than
2048 bits.
Prerequisites
A CA must be available to the network before
configuring this interoperability feature. The CA must support Cisco Systems
PKI protocol, the Simple Certificate Enrollment Protocol (SCEP). SCEP was
formerly called certificate enrollment protocol (CEP).