CA Servers Interoperable with Cisco Routers

CA interoperability permits Cisco IOS devices, PIX Firewalls, Cisco VPN Hardware devices, and CA servers to communicate so the VPN device can obtain and use digital certificates supplied by the CA. While IPSec can be implemented in the network without using a CA, the CA with SCEP provides enhanced manageability and scalability for IPSec.

The list of CAs supported could vary from VPN platform to platform, for example, PIX Firewalls might not support the same options as IOS devices or VPN hardware devices. A good idea is always to check the Cisco online documentation for the particular device and version of the operating system (OS) to confirm support and appropriate version numbers. The following are CA providers that support SCEP to interoperate for enrolling Cisco IOS routers:

VeriSign

Entrust Technologies, Inc.

Baltimore Technologies

Microsoft Corporation

VeriSign OnSite 4.5

The VeriSign’s OnSite 4.5 solution provides a fully integrated enterprise PKI to issue, control, and manage IPSec certificates for PIX Firewalls and Cisco routers. VeriSign administers the CA themselves, providing the certificates as a service. VeriSign OnSite service specifics include the following:

Requirements�"No local server requirements. Routers must be running IOS v 12.0.6 or higher and must have a retry count set to greater than 60.

Standards supported�"SCEP, x509 certificate format, and PKCS# 7, 10, 11, and 12.

For more information on VeriSign products and features, consult their web site at www.verisign.com.

Entrust Technologies

One major difference between CA servers is where the server is located and who administers it. Entrust is a software solution that’s installed and administered by the user on a local network server. The Entrust/PKI service is able to issue digital IDs to any device or application supporting the X.509 certificate standard. This implementation offers a secure, flexible, and low-cost solution from one PKI. Entrust/PKI service specifics include the following:

Requirements�"Entrust software runs on the Windows servers (for Cisco interoperability), Solaris 2.6, HP-UX 10.20, and AIX 4.3 OSs. Requires RSA usage-keys configured on the routers. Cisco IOS release 11.(3)5T and later.

Standards supported�"CA services, RA capabilities, SCEP, and PKCS#10.

For more information on Entrust products and features, consult their web site at www.entrust.com.

Baltimore Technologies

Baltimore Technologies supports SCEP in UniCERT, its CA server, as well as the PKI Plus toolkit, making it easy for customers to implement certificates in their networks. UniCERT is a software solution installed and administered by the user on a local network server. Baltimore Technologies service specifics include the following:

Requirements�"The current release of the UniCERT CA software module is available for Windows servers. Must use Cisco IOS release 12.0(5)T and later.
Standards Supported�"The following standards are supported with this CA server: X509 v3, CRL version 2, PKCS# 1, 7, 10, 11, and 12, and many more protocols.

For more information on Baltimore products and features, consult their web site at
www.baltimore.com.

Microsoft Windows 2000 Certificate Services

Microsoft has integrated SCEP support into the Windows 2000 CA server via the Security Resource Kit for Windows 2000. This SCEP support allows Microsoft clients to obtain certificates and certificate revocation information from Microsoft Certificate Services for all of Cisco’s VPN security solutions.

Requirements�"Intel-based PC running Windows 2000 Server. Cisco IOS release 12.0(5)T or later.
Standards Supported�"The following standards are supported with this CA server: X.509 version 3, CRL version 2, PKCS #7, #10, and #12, and many more protocols.

For more information on Microsoft products and features, consult their web site at
www.microsoft.com.

CA Servers Interoperable with Cisco Routers