Implementing Digital Certificates
Enroll a device with a CA

The typical process for enrolling a device, such as a router or PIX Security Appliance, with a CA is as follows :

Step 1 Configure the device for CA support.

Step 2 Generate a public and private key-pair on the device.

Step 3 The device authenticates the CA server:

  • Send the certificate request to the CA/RA.
  • Generate a CA/RA certificate.
  • Download a CA/RA certificate to the device.
  • Authenticate a CA/RA certificate via the CA/RA fingerprint.

Step 4 The device sends a certificate request to the CA.

Step 5 The CA generates and signs an identity certificate.

Step 6 The CA sends the certificates to the device and posts the certificates in its public repository.

Step 7 The device verifies the identify certificate and posts the certificate.

Most of these steps have been automated by Cisco and the SCEP protocol that is supported by many CA server vendors. Each vendor determines how long certificates are valid.