Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco IOS CA using 3rd Party Certificate

Hi,

Can I use 3rd Party certificate such as verisign, on Cisco IOS CA ? All i can see on cisco.com is self-signed certificate from router.

Thanks

-santo-

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco IOS CA using 3rd Party Certificate

Santo,

That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.

Private PKI is not based on self signed certificates - only the root CA might need something like it :-)

That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.

Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).

M.

6 REPLIES
Cisco Employee

Cisco IOS CA using 3rd Party Certificate

Santo,

IOS can act as a (root or sub-) CA. Typically verisign will not give you a certificate that will allow you to be a CA itself on their behalf (I might be wrong).

That being said, you can use certificates signed by any third party for authentication etc.

What is the end goal?

M.

New Member

Cisco IOS CA using 3rd Party Certificate

Hi Marcin,

thanks alot for your reply. I have impression that using 3rd party certificate is more secured. Furthermore, when the certificate is expired, i will be notified by that company. Because I will be managing alot of certificates.

What do you think ?

regards

-santo-

Cisco Employee

Cisco IOS CA using 3rd Party Certificate

Santo,

That's true certificates are a much nicer way to manage security and in term of IKE are more secure than the alternative which is pre shared key (typically).

However that being said PKI implmentations are not limited to using 3rd party certificates, you can very well use your own certificate authority to issue certificates, microsoft has good implmentation, IOS has a CA, even ASA has one (although limited), there is also plenty of free ones available.

What is  it that you're trying to accomplish by utilizing certificates.

Marcin

New Member

Cisco IOS CA using 3rd Party Certificate

Hu Marcin,

My ultimate goal using certificate is to have better security compared to pre-shared keys.

I prefer to use IOS CA because using microsoft CA that means i need to invest another server. I am trying to do managed security services such as GETVPN for my customers. My opinion is that having the the 3rd party certificate, my customer will have impression that it will be more secured than self-signed such as from router itself.

what do you think ?

regards

-santo-

Cisco Employee

Cisco IOS CA using 3rd Party Certificate

Santo,

That's fair enough. A key information to make sure customers understand that a private PKI infrustructure is (for the purpose of deployment such as GETVPN) as secure as provided by third part party.

Private PKI is not based on self signed certificates - only the root CA might need something like it :-)

That being said, for reliability and flexability I really suggest storing CA (ser, CRL, OCSP, backup of public/private keys) files on storage external to the router.

Key takeway is that a properly managed private PKI solution for deployments like DMVPN/GETVPN others is as secure as external 3rd party services (and often time order of magnitude cheaper).

M.

New Member

Cisco IOS CA using 3rd Party Certificate

thanks alot marcin for your reply. I really really appreciate your feadbacks.

regards

-santo-

562
Views
0
Helpful
6
Replies
CreatePlease login to create content