Cisco MDS 9000 Series Configuration Manual page 193

Configuring IPSec Network Security
How CA Certificates Are Used by IPsec Devices
data to authenticate each other. When a new device is added to the network, you simply enroll that device
with a CA, and none of the other devices needs modification. When the new device attempts an IPsec
connection, certificates are automatically exchanged and the device can be authenticated.
Figure 12: Dynamically Authenticating Devices with a CA, on page 175 shows the process of dynamically
authenticating the devices.
Figure 12: Dynamically Authenticating Devices with a CA
To add a new IPsec switch to the network, you need only configure that new switch to request a certificate
from the CA, instead of making multiple key configurations with all the other existing IPsec switches.
How CA Certificates Are Used by IPsec Devices
When two IPsec switches want to exchange IPsec-protected traffic passing between them, they must first
authenticate each other—otherwise, IPsec protection cannot occur. The authentication is done with IKE.
IKE can use two methods to authenticate the switches, using preshared keys without a CA and using RSA
key-pairs with a CA. Both methods require that keys must be preconfigured between the two switches.
Without a CA, a switch authenticates itself to the remote switch using either RSA-encrypted preshared keys.
With a CA, a switch authenticates itself to the remote switch by sending a certificate to the remote switch and
performing some public key cryptography. Each switch must send its own unique certificate that was issued
and validated by the CA. This process works because the certificate of each switch encapsulates the public
key of the switch, each certificate is authenticated by the CA, and all participating switches recognize the CA
as an authenticating authority. This scheme is called IKE with an RSA signature.
Your switch can continue sending its own certificate for multiple IPsec sessions, and to multiple IPsec peers
until the certificate expires. When the certificate expires, the switch administrator must obtain a new one from
the CA.
CAs can also revoke certificates for devices that will no longer participate in IPsec. Revoked certificates are
not recognized as valid by other IPsec devices. Revoked certificates are listed in a certificate revocation list
(CRL), which each peer may check before accepting a certificate from another peer.
Certificate support for IKE has the following considerations:
• The switch FQDN (host name and domain name) must be configured before installing certificates for
IKE.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
175