Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
225
Views
0
Helpful
1
Replies

Trusting root offline CAs

mattcooling
Level 1
Level 1

‎11-27-2002 11:08 AM - edited ‎03-09-2019 01:13 AM

Hi

I have a two-tier CA architecture - an offline root CA, which signs the certificates of two online issuing CAs.

In order to get this to work, I need to authenticate BOTH the issuing CA *and* the root CA on the VPN endpoints (IOS routers) - using the command 'crypto ca authenticate' twice - once with a trustpoint for the root CA and again with the trustpoint for the issuing CA.

However, this requires that, in order to set up IPSec with CAs, I require network access to the root CA - preventing me from taking it offline.

Is there any way around this - can I 'trust' the root CA's certificate without having access to it over the network?

Any ideas/links will be very much appreciated.

Cheers,

Matt

Labels:
0 Helpful
1 Reply 1

r-simpson
Level 3
Level 3

‎12-04-2002 09:27 AM

I thinks thats how it is designed for maximum secuirty, one thing you can do configure a RA which will take the requests online and then forward it to the offline CA.For more ideas refer this URL

http://www.networkmagazine.com/article/printableArticle?doc_id=NMG20001004S0015

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ca7.html#xtocid7

0 Helpful
Customers Also Viewed These Support Documents