Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Trusting root offline CAs

Hi

I have a two-tier CA architecture - an offline root CA, which signs the certificates of two online issuing CAs.

In order to get this to work, I need to authenticate BOTH the issuing CA *and* the root CA on the VPN endpoints (IOS routers) - using the command 'crypto ca authenticate' twice - once with a trustpoint for the root CA and again with the trustpoint for the issuing CA.

However, this requires that, in order to set up IPSec with CAs, I require network access to the root CA - preventing me from taking it offline.

Is there any way around this - can I 'trust' the root CA's certificate without having access to it over the network?

Any ideas/links will be very much appreciated.

Cheers,

Matt

1 REPLY
New Member

Re: Trusting root offline CAs

I thinks thats how it is designed for maximum secuirty, one thing you can do configure a RA which will take the requests online and then forward it to the offline CA.For more ideas refer this URL

http://www.networkmagazine.com/article/printableArticle?doc_id=NMG20001004S0015

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ca7.html#xtocid7

101
Views
0
Helpful
1
Replies
CreatePlease to create content