Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 70

Information About Implementing Certification Authority
public key indicates that the holder of the private key, the sender, must have created the message. This
process relies on the receiver's having a copy of the sender's public key and knowing with a high degree
of certainty that it does belong to the sender and not to someone pretending to be the sender.
Digital certificates provide the link. A digital certificate contains information to identify a user or device,
such as the name, serial number, company, department, or IP address. It also contains a copy of the
entity's public key. The certificate is itself signed by a CA, a third party that is explicitly trusted by the
receiver to validate identities and to create digital certificates.
To validate the signature of the CA, the receiver must first know the CA's public key. Normally, this
process is handled out-of-band or through an operation done at installation. For instance, most web
browsers are configured with the public keys of several CAs by default. IKE, an essential component of
IPSec, can use digital signatures to authenticate peer devices for scalability before setting up SAs.
Without digital signatures, a user must manually exchange either public keys or secrets between each
pair of devices that use IPSec to protect communication between them. Without certificates, every new
device added to the network requires a configuration change on every other device with which it
communicates securely. With digital certificates, each device is enrolled with a CA. When two devices
want to communicate, they exchange certificates and digitally sign data to authenticate each other. When
a new device is added to the network, a user simply enrolls that device with a CA, and none of the other
devices needs modification. When the new device attempts an IPSec connection, certificates are
automatically exchanged and the device can be authenticated.
IPSec Without CAs
Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you
must first ensure that each router has the key of the other router (such as an RSA public key or a shared
key). This requirement means that you must manually perform one of the following operations:
•
•
If you have multiple Cisco routers in a mesh topology and want to exchange IPSec traffic passing among
all of those routers, you must first configure shared keys or RSA public keys among all of those routers.
Every time a new router is added to the IPSec network, you must configure keys between the new router
and each of the existing routers.
Consequently, the more devices there are that require IPSec services, the more involved the key
administration becomes. This approach does not scale well for larger, more complex encrypting
networks.
IPSec with CAs
With a CA, you need not configure keys between all the encrypting routers. Instead, you individually
enroll each participating router with the CA, requesting a certificate for the router. When this enrollment
has been accomplished, each participating router can dynamically authenticate all the other participating
routers.
To add a new IPSec router to the network, you need only configure that new router to request a certificate
from the CA, instead of making multiple key configurations with all the other existing IPSec routers.
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
SC-64
At each router, enter the RSA public key of the other router.
At each router, specify a shared key to be used by both routers.
Implementing Certification Authority Interoperability on Cisco IOS XR Software
OL-20382-01