IPsec Digital Certificate Support
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Every time a new switch is added to the IPsec network, you must configure keys between the new switch
and each of the existing switches. (In
required to add a single encrypting switch to the network.)
Consequently, the more devices that require IPsec services, the more involved the key administration
becomes. This approach does not scale well for larger, more complex encrypting networks.
Implementing IPsec with CAs and Digital Certificates
With CA and digital certificates, you do not have to configure keys between all the encrypting switches.
Instead, you individually enroll each participating switch with the CA, requesting a certificate for the
switch. When this has been accomplished, each participating switch can dynamically authenticate all the
other participating switches. When two devices want to communicate, they exchange certificates and
digitally sign data to authenticate each other. When a new device is added to the network, you simply
enroll that device with a CA, and none of the other devices needs modification. When the new device
attempts an IPsec connection, certificates are automatically exchanged and the device can be
Cisco MDS 9000 Family CLI Configuration Guide
Two IPsec Switches Without CAs and Digital Certificates
Four IPsec Switches Without a CA and Digital Certificates
shows the process of dynamically authenticating the devices.
35-3, four additional two-part key configurations are
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Configuring IPsec Network Security