Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
1
Replies

Redundancy of Subordinate CAs

networkmessi
Level 1
Level 1

‎05-08-2012 02:13 PM

Hi All;

We are planning to configure hierarchical CAs, one root, two subordinate CAs for our DMVPN deployment.

However i have concerns about the redundancy of CAs.

I wonder which CA does my routers prefer when i configure two trustpoints. Do they select the certificate of one or store both of them? If they store both of them which one do they use for authentication?

If they select one of them and the selected CA server goes down, what happens?

Gracias..

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-08-2012 02:46 PM

To some extent this is configurable:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c1.html#GUID-DE9B49BB-FB15-41D0-933A-35180A5BBB59

You need to remmeber that IKE peers tell about their valid CAs via CERT_REQ payloads, used before exchanging the actual certificates.

0 Helpful
Customers Also Viewed These Support Documents