The Complete Cisco VPN Configuration Guide

Routers as Certificate Authorities

As of IOS 12.3(4)T, Cisco routers can perform the function of a CA; RA functionality was added in a later IOS release. As a CA, routers can accept certificate requests using SCEP (which means that they have to run an HTTP server) and manual enrollment with cut-and-paste of the PKCS #10 information.

The CA server feature was added mostly for small shops that wanted to use an existing router for certificate services instead of purchasing a stand-alone product. However, the Cisco CA server feature does have limitations; it isn’t a full-blown CA product. Here are some of its restrictions:

When acting as an RA, the CA must be an IOS router.
Only a central design with one CA is supported.
As a CA, time services (NTP) ...

Get The Complete Cisco VPN Configuration Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

The Complete Cisco VPN Configuration Guide by Richard Deal

Routers as Certificate Authorities

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly