I am looking to rollout DMVPN solution using Cisco IOS CA and I have a few questions that I really haven't been able to answer to my satisfaction by reading the documentation. I was curious as to how well the Cisco IOS CA scales. I am looking at having approximately 200 spokes down the road. I would be storing the certificates in flash rather than nvram so there is plenty of room. Also, the whole point of DMVPN is to have a resilent hub and spoke design. In this case eventually three hubs for all the spokes. It doesn't appear possible to me to have each spoke router enroll with each DMVPN router acting as its own CA. From what I read there can only be one CA. Is that correct, or am I missing something. If you can only have one CA then it really doesn't seem to make much sense to leverage the Ciso IOS CA in this situation as I would need the spokes to authenticate to each router with a common certificate which points to an off router solution. Does this sound correct. Thanks in advance for any help you may be able to provide.
I have this problem too.