Disable all HTTP modules except for the SCEP server. set lifetimes on our CA and client certificates (feel free to alter as needed). create a folder to hold our pki database. Generate a 2048 bit RSA keypair called CA. Let’s go ahead and pop in a somewhat minimal working config. In this simple design we have a single root issuing CA. Quick verification that our toplogy is functional and we have the routes: Verification from r5 Root CA Overview Just know that this design is intended to work with a spoke and hub vpn topology. For simplicity’s sake, I’ll forgo some of the things I would normally include in this kind of design (such as DMVPN with FVRF) so we can focus on the PKI part. In this example, we’re going to do a spoke and hub network, with a CA sitting behind the hub. After the snippets I’ll show you what the output should approximately look like, and we’ll follow that up with some verification commands for testing and troubleshooting your deployment.įor more detailed information on IOS CA, here is a link: I OS-XE public key infrastructure configuration guide. for these reasons, the configurations are broken up into several snippets. Also there is a one line configuration difference between a spoke and a hub. There are some interactive steps in turning up a CA and enrolling spokes. This design is suitable for production deployment in a small to medium sized network. In this installment we’re going to dip our toes in the water and put together a basic working configuration utilizing Simple Certificate Enrollment Protocol (SCEP). In PKIFNE part 10 ( link), I introduced Cisco IOS Certification Authority, reviewing its use cases, deployment options, and enrollment challenges. 
6.3 Certificate Auth VPN and revocation checks.
5.2 Exploring the contents of the CA database.
0 kommentar(er)
