Routers as Certificate Authorities
As of IOS 12.3(4)T, Cisco routers can perform the function of a CA; RA functionality was added in a later IOS release. As a CA, routers can accept certificate requests using SCEP (which means that they have to run an HTTP server) and manual enrollment with cut-and-paste of the PKCS #10 information.
The CA server feature was added mostly for small shops that wanted to use an existing router for certificate services instead of purchasing a stand-alone product. However, the Cisco CA server feature does have limitations; it isn’t a full-blown CA product. Here are some of its restrictions:
When acting as an RA, the CA must be an IOS router.
Only a central design with one CA is supported.
As a CA, time services (NTP) ...