Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Redundancy of Subordinate CAs

Hi All;

We are planning to configure hierarchical CAs, one root, two subordinate CAs for our DMVPN deployment.

However i have concerns about the redundancy of CAs.

I wonder which CA does my routers prefer when i configure two trustpoints. Do they select the certificate of one or store both of them? If they store both of them which one do they use for authentication?

If they select one of them and the selected CA server goes down, what happens?

Gracias..

Everyone's tags (3)
1 REPLY
Cisco Employee

Redundancy of Subordinate CAs

To some extent this is configurable:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c1.html#GUID-DE9B49BB-FB15-41D0-933A-35180A5BBB59

You need to remmeber that IKE peers tell about their valid CAs via CERT_REQ payloads, used before exchanging the actual certificates.

418
Views
0
Helpful
1
Replies
CreatePlease to create content