IOS CA with offline root and multiple subordinates
Does anyone have specific experience with setting up an offline root CA with multiple subordinates issuing certs to routers for VPN authentication? I'm working on setting this up for testing and the documentation does not clearly state if I can have certificates on 2 devices, issued by different subordinates of the same root and have trust between them for authentication.
Re: IOS CA with offline root and multiple subordinates
After testing and going over the documentation again, it looks like the answer is to configure a root (online) with multiple RA (registration authorities) below it. In initial testing, certs still needed to be granted at the root server, but hopefully this helps anyone looking to do a large scale PKI rollout.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...