Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates
Scaling PIX Security Appliance VPNs

As discussed earlier, the use of pre-shared keys for IKE authentication works well only when there are few IPSec peers. Although there are a number of methods for authentication, using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a per-peer basis. When using the PIX Security Appliance to implement IPSec VPNs using digital certificates, the CA server enrollment process can be largely automated so that it scales well to large deployments. Each PIX that is to be configured as an IPSec peer individually enrolls with the CA server and obtains public and private encryption keys compatible with other peers that are enrolled with the server .

The PIX Security Appliance supports the following CA servers:

  • Cisco IOS Certificate Server
  • Baltimore Technologies
  • Entrust
  • Microsoft Certificate Services
  • Netscape CMS
  • RSA Keon
  • VeriSign