Solved: Cisco IOS CA using 3rd Party Certificate

susleman · ‎03-27-2012

Hi,

Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.

Thanks

-santo-

Marcin Latosiewicz · ‎03-28-2012

Santo,

That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.

Private PKI is not based on self signed certificates - only the root CA might need something like it :-)

That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.

Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).

M.

View solution in original post

Marcin Latosiewicz · ‎03-27-2012

Santo,

IOS can act as a (root or sub-) CA. Typically verisign will not give you a certificate that will allow you to be a CA itself on their behalf (I might be wrong).

That being said, you can use certificates signed by any third party for authentication etc.

What is the end goal?

M.

susleman · ‎03-27-2012

Hi Marcin,

thanks alot for your reply. I have impression that using 3rd party certificate is more secured. Furthermore, when the certificate is expired, i will be notified by that company. Because I will be managing alot of certificates.

What do you think ?

regards

-santo-

Marcin Latosiewicz · ‎03-27-2012

Santo,

That's true certificates are a much nicer way to manage security and in term of IKE are more secure than the alternative which is pre shared key (typically).

However that being said PKI implmentations are not limited to using 3rd party certificates, you can very well use your own certificate authority to issue certificates, microsoft has good implmentation, IOS has a CA, even ASA has one (although limited), there is also plenty of free ones available.

What is it that you're trying to accomplish by utilizing certificates.

Marcin

susleman · ‎03-28-2012

Hu Marcin,

My ultimate goal using certificate is to have better security compared to pre-shared keys.

I prefer to use IOS CA because using microsoft CA that means i need to invest another server. I am trying to do managed security services such as GETVPN for my customers. My opinion is that having the the 3rd party certificate, my customer will have impression that it will be more secured than self-signed such as from router itself.

what do you think ?

regards

-santo-

Marcin Latosiewicz · ‎03-28-2012

Santo,

That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.

Private PKI is not based on self signed certificates - only the root CA might need something like it :-)

That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.

Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).

M.

susleman · ‎03-28-2012

thanks alot marcin for your reply. I really really appreciate your feadbacks.

regards

-santo-