Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How do CERTs without a CA ?


i'm having problems understanding what

the router can do with certs

ihave no CA i can talk to,

so i need to manually install certs on 2 routers,

(running 12.2.13T1)

so that they can setup an IKE SA, without

talking to the root CA.

i have a PC that can generate a key pair,

get a cert

but how would i get them in the routers ?

where is the private key held ?

can the routers then talk without a CA ?




Re: How do CERTs without a CA ?

You need a CA to do certs. A CA is critical to help both sides have assurance that each side is who they say they are = a critical component of authentication.

Use shared secrets instead., or go with the encrypred nonces method. Cisco supports shared secrets across pixen, IOS, etc, while encrypted nonces is supported only on IOS devices

This link should present all non-CA options to you.

New Member

Re: How do CERTs without a CA ?



I'm only testing for now,

and have a CA that can generate the certs,

but cant talk to it over the network,

so need a way of pasting ? certs and keys



New Member

Re: How do CERTs without a CA ?

Hi Pete,

Plz note that you cannot see the private key generated on a router. You can only see the public key. You need to manually copy the public keys of one router and paste it into the other. To copy all you need to do is select the public key shown in the running config (on the terminal window) and paste it on the other router. Do the same thing with the other router. Thatz all !!

Also, remember that if you have a CA certificate, then it itself contains the public key of the router + the CA's digital signature. You **DO NOT** have to copy this from one router to the other. This will be done as part of ISAKMP negotiations in Phase 1.

Hope it is clear to you. Let me know if you need more info.


New Member

Re: How do CERTs without a CA ?



I was in the situation where i didnt have connectivity to the CA,

but still needed to prove certs worked to the customer.

Have now found that in latest code12.2.13T that you can manually cut& paste

cert requests and certs, to/from the router

which is what i was looking for.

Only for testing of course.



CreatePlease to create content