Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 71

Implementing Certification Authority Interoperability on Cisco IOS XR Software
IPSec with Multiple Trustpoint CAs
With multiple trustpoint CAs, you no longer have to enroll a router with the CA that issued a certificate
to a peer. Instead, you configure a router with multiple CAs that it trusts. Thus, a router can use a
configured CA (a trusted root) to verify certificates offered by a peer that were not issued by the same
CA defined in the identity of the router.
Configuring multiple CAs allows two or more routers enrolled under different domains (different CAs)
to verify the identity of each other when using IKE to set up IPSec tunnels.
Through SCEP, each router is configured with a CA (the enrollment CA). The CA issues a certificate to
the router that is signed with the private key of the CA. To verify the certificates of peers in the same
domain, the router is also configured with the root certificate of the enrollment CA.
To verify the certificate of a peer from a different domain, the root certificate of the enrollment CA in
the domain of the peer must be configured securely in the router.
During IKE phase one signature verification, the initiator will send the responder a list of its CA
certificates. The responder should send the certificate issued by one of the CAs in the list. If the
certificate is verified, the router saves the public key contained in the certificate on its public key ring.
With multiple root CAs, Virtual Private Network (VPN) users can establish trust in one domain and
easily and securely distribute it to other domains. Thus, the required private communication channel
between entities authenticated under different domains can occur.
How IPSec Devices Use CA Certificates
When two IPSec routers want to exchange IPSec-protected traffic passing between them, they must first
authenticate each other—otherwise, IPSec protection cannot occur. The authentication is done with IKE.
Without a CA, a router authenticates itself to the remote router using either RSA-encrypted nonces or
preshared keys. Both methods require keys to have been previously configured between the two routers.
With a CA, a router authenticates itself to the remote router by sending a certificate to the remote router
and performing some public key cryptography. Each router must send its own unique certificate that was
issued and validated by the CA. This process works because the certificate of each router encapsulates
the public key of the router, each certificate is authenticated by the CA, and all participating routers
recognize the CA as an authenticating authority. This scheme is called IKE with an RSA signature.
Your router can continue sending its own certificate for multiple IPSec sessions and to multiple IPSec
peers until the certificate expires. When its certificate expires, the router administrator must obtain a new
one from the CA.
When your router receives a certificate from a peer from another domain (with a different CA), the
certificate revocation list (CRL) downloaded from the CA of the router does not include certificate
information about the peer. Therefore, you should check the CRL published by the configured trustpoint
with the Lightweight Directory Access Protocol (LDAP) URL to ensure that the certificate of the peer
has not been revoked.
To query the CRL published by the configured trustpoint with the LDAP URL, use the query url
command in trustpoint configuration mode.
CA Registration Authorities
Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a
server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
OL-20382-01
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
Information About Implementing Certification Authority
SC-65