Routers as Certificate Authorities

As of IOS 12.3(4)T, Cisco routers can perform the function of a CA; RA functionality was added in a later IOS release. As a CA, routers can accept certificate requests using SCEP (which means that they have to run an HTTP server) and manual enrollment with cut-and-paste of the PKCS #10 information.

The CA server feature was added mostly for small shops that wanted to use an existing router for certificate services instead of purchasing a stand-alone product. However, the Cisco CA server feature does have limitations; it isn’t a full-blown CA product. Here are some of its restrictions:

  • When acting as an RA, the CA must be an IOS router.

  • Only a central design with one CA is supported.

  • As a CA, time services (NTP) ...

Get The Complete Cisco VPN Configuration Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.