This document provides information about using digital certificates issued by a Cisco IOS CA server to authenticate VPN tunnels between Cisco routers. It provides design considerations, step-by-step configuration instructions, and basic management options for VPN crypto devices using digital certificates. This document is written for Cisco system engineers and assumes that you have a working knowledge of Cisco IOS routers, as well as a basic understanding of IPSec, ISAKMP/IKE, and digital certificates | Digital Certificates PKI for IPSec VPNs This document provides information about using digital certificates issued by a Cisco IOS CA server to authenticate VPN tunnels between Cisco routers. It provides design considerations step-by-step configuration instructions and basic management options for VPN crypto devices using digital certificates. This document is written for Cisco system engineers and assumes that you have a working knowledge of Cisco IOS routers as well as a basic understanding of IPSec ISAKMP IKE and digital certificates. Contents Design Guide Structure 1-2 Overview 1-3 Architectural Design Considerations 1-5 Configuring the Cisco IOS CA Server 1-6 Enrollment with a Cisco IOS Software CA Over SCEP 1-13 IPSec Headend Hub-and-Spoke Configuration Using dmaps DPD RRI 1-14 Branch End Hub-and-Spoke Configuration 1-14 Enrolling a VPN Headend Router with the Cisco IOS CA Using SCEP 1-16 Approving an Enrollment for the VPN Headend Router on the Cisco IOS CA 1-19 Enrolling a Branch Router with a Cisco IOS CA Using SCEP 1-20 Approving an Enrollment for a Branch Router with a Cisco IOS CA 1-24 Removing the Pre-Shared Key 1-25 Distributing the CRL over SCEP Revoking a Digital Certificate for a Branch VPN Router 1-28 Examples of Revoked Certificate Logs 1-30 VPN Branch Router 1-30 VPN Crypto Headend Router 1-31 Copying Certificate Enrollments to a Cisco IOS CA 1-32 1-26 Cisco Systems Corporate Headquarters Cisco Systems Inc. 170 West Tasman Drive San Jose CA 95134-1706 USA Copyright 2005 Cisco Systems Inc. All rights reserved. Design Guide Structure Automatically Re-enrolling Expired Certificates Before Expiration 1-37 Backing Up and Restoring the Cisco IOS CA Server 1-42 Backing Up Cisco IOS CA Server Files to a Different System 1-43 Recovering From Server Failure 1-43 Restoring Files To a Replacement Cisco IOS CA Server 1-45 Using TFTP HTTP Server for Off-System Storage of CA Files 1-50 Useful Commands 1-54 Commands for Managing the Cisco IOS .
