Prerequisites For Implementing Certification Authority; Restrictions For Implementing Certification Authority; Information About Implementing Certification Authority; Supported Standards For Certification Authority Interoperability - Cisco IOS XR Configuration Manual

Prerequisites for Implementing Certification Authority

•
•
Prerequisites for Implementing Certification Authority
The following prerequisites are required to implement CA interoperability:
•
•
•

Restrictions for Implementing Certification Authority

Cisco IOS XR software does not support CA server public keys greater than 2048 bits.

Information About Implementing Certification Authority

To implement CA, you need to understand the following concepts:
•
•

Supported Standards for Certification Authority Interoperability

Cisco supports the following standards:
•
•
•
Cisco IOS XR System Security Configuration Guide
SC-2
Configuration Examples for Implementing Certification Authority Interoperability, page SC-14
Additional References, page SC-16
You must be in a user group associated with a task group that includes the proper task IDs for
security commands. For detailed information about user groups and task IDs, see the Configuring
AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security
Configuration Guide.
You must install and activate the Package Installation Envelope (PIE) for the security software.
For detailed information about optional PIE installation, refer to the Cisco IOS XR System
Management Guide.
You need to have a CA available to your network before you configure this interoperability feature.
The CA must support Cisco Systems PKI protocol, the Simple Certificate Enrollment Protocol
(SCEP) (formerly called certificate enrollment protocol [CEP]).
Supported Standards for Certification Authority Interoperability, page SC-2
Certification Authorities, page SC-3
IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data
confidentiality, data integrity, and data authentication between participating peers. IPSec provides
these security services at the IP layer; it uses Internet Key Exchange (IKE) to handle negotiation of
protocols and algorithms based on local policy, and to generate the encryption and authentication
keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of
hosts, a pair of security gateways, or a security gateway and a host.
IKE—A hybrid protocol that implements Oakley and Skeme key exchanges inside the Internet
Security Association Key Management Protocol (ISAKMP) framework. Although IKE can be used
with other protocols, its initial implementation is with the IPSec protocol. IKE provides
authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations
(SAs).
Public-Key Cryptography Standard #7 (PKCS #7)—A standard from RSA Data Security Inc. used
to encrypt and sign certificate enrollment messages.
Implementing Certification Authority Interoperability on Cisco IOS XR Software