Cisco IOS XR Configuration Manual page 16

Information About Implementing Certification Authority
Without digital signatures, a user must manually exchange either public keys or secrets between each
pair of devices that use IPSec to protect communication between them. Without certificates, every new
device added to the network requires a configuration change on every other device with which it
communicates securely. With digital certificates, each device is enrolled with a CA. When two devices
want to communicate, they exchange certificates and digitally sign data to authenticate each other. When
a new device is added to the network, a user simply enrolls that device with a CA, and none of the other
devices needs modification. When the new device attempts an IPSec connection, certificates are
automatically exchanged and the device can be authenticated.
IPSec Without CAs
Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you
must first ensure that each router has the key of the other router (such as an RSA public key or a shared
key). This requirement means that you must manually perform one of the following operations:
•
•
If you have multiple Cisco routers in a mesh topology and want to exchange IPSec traffic passing among
all of those routers, you must first configure shared keys or RSA public keys among all of those routers.
Every time a new router is added to the IPSec network, you must configure keys between the new router
and each of the existing routers.
Consequently, the more devices there are that require IPSec services, the more involved the key
administration becomes. This approach does not scale well for larger, more complex encrypting
networks.
IPSec with CAs
With a CA, you need not configure keys between all the encrypting routers. Instead, you individually
enroll each participating router with the CA, requesting a certificate for the router. When this enrollment
has been accomplished, each participating router can dynamically authenticate all the other participating
routers.
To add a new IPSec router to the network, you need only configure that new router to request a certificate
from the CA, instead of making multiple key configurations with all the other existing IPSec routers.
IPSec with Multiple Trustpoint CAs
With multiple trustpoint CAs, you no longer have to enroll a router with the CA that issued a certificate
to a peer. Instead, you configure a router with multiple CAs that it trusts. Thus, a router can use a
configured CA (a trusted root) to verify certificates offered by a peer that were not issued by the same
CA defined in the identity of the router.
Configuring multiple CAs allows two or more routers enrolled under different domains (different CAs)
to verify the identity of each other when using IKE to set up IPSec tunnels.
Through SCEP, each router is configured with a CA (the enrollment CA). The CA issues a certificate to
the router that is signed with the private key of the CA. To verify the certificates of peers in the same
domain, the router is also configured with the root certificate of the enrollment CA.
To verify the certificate of a peer from a different domain, the root certificate of the enrollment CA in
the domain of the peer must be configured securely in the router.
Cisco IOS XR System Security Configuration Guide
SC-4
At each router, enter the RSA public key of the other router.
At each router, specify a shared key to be used by both routers.
Implementing Certification Authority Interoperability on Cisco IOS XR Software