Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

using IOS CA or alternate solution -- HELP

I have to convert one of my client DMVPN setups with 78 remote sites using a pre shared key to some kind of certificates. I want to be able to revoke certificate if needed, and also i want to be in charge of approviing certificate requests.

this is needed in case of my client needs to hire a consultant to replace the router (DMVPN Spoke) he does not want him to have  any knoweldge of preshared key that are being used. Using certificates will take care of the concern.

What would be the best route to go?

- cisco router as CISCO IOS CA Server

- changing current DMVPN to use certificates

- go with GET VPN

- go with Microsoft CA server

I am pretty sure someone over there uses certificates for Enterprise VPN authentication .

Please advice.

thank you

CCIE 18676

Re: using IOS CA or alternate solution -- HELP


Actually any of the options that you mentioned should work fine.

IOS CA Server will use the router as the CA authority
GET VPN, relatively new VPN technology
Microsoft CA server, will use a Windows Server for CA authority

Personally, I have experience with the Microsoft CA Server for Enterprise and IOS CA for smaller environments.
I have not experienced with GET VPN yet, though it seems a very cool technology

Either path you choose, involves quite a change and work, so if you're going to put this much effort on it, I'll go with

It really depends on what you currently have and what you need.
If you have any questions let us know, perhaps we can help you further.