https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389171#M920050 <P>Hi:</P><P>I have&nbsp; a hub and spoke network with PKI based security.&nbsp; My question is , during normal operations , after certificates after been issued and the spoke routers have SA associations set up, are&nbsp; there any more&nbsp; communications with the CA server? Assuming that the hub and spoke routers&nbsp; are constantly communicating is there a need for the CA server? Even is the communication between&nbsp; a hub router a spoke router have to be renewed, is the CA server involved? As long as the certificates don't expire, is the CA server involved?</P><P></P><P></P><P>&nbsp; thanks</P><P></P><P>Mickey</P> Fri, 21 Feb 2020 13:02:17 GMT mikik 2020-02-21T13:02:17Z https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389171#M920050 <P>Hi:</P><P>I have&nbsp; a hub and spoke network with PKI based security.&nbsp; My question is , during normal operations , after certificates after been issued and the spoke routers have SA associations set up, are&nbsp; there any more&nbsp; communications with the CA server? Assuming that the hub and spoke routers&nbsp; are constantly communicating is there a need for the CA server? Even is the communication between&nbsp; a hub router a spoke router have to be renewed, is the CA server involved? As long as the certificates don't expire, is the CA server involved?</P><P></P><P></P><P>&nbsp; thanks</P><P></P><P>Mickey</P> Fri, 21 Feb 2020 13:02:17 GMT https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389171#M920050 mikik 2020-02-21T13:02:17Z https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389172#M920051 <HTML><HEAD></HEAD><BODY><P>In general, the CA is only needed when a new certificate has to be issued. The normal IPSec-tunnel-setup doesn't need the CA at all.</P><P></P><P>But: When the tunnel-setup is done, the hub (or even both hub and spoke) can be configured to compare the serial-number of the presented certificate against a list of revoked certificates (a CRL, Certificate Revocation List). Although not a best practice, this list is often served by the CA. If your PKI is configured that way, then the CA has to be online all the time. If best practice was followed while setting up the CA, the CRL is published to a different server and the CA only has to be online when new certificates are issued or a new CRL is published. Here the server hosting the CRL has to be online all the time.</P><P></P><P>Similar concept, instead of a CRL you could use the Online Certificate Status Protolol (OCSP), but here is the same, instead of running that service on the CA it's better to use a different system for that.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Sun, 10 Nov 2013 22:02:30 GMT https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389172#M920051 Karsten Iwen 2013-11-10T22:02:30Z https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389173#M920052 <HTML><HEAD></HEAD><BODY><P>Hi:</P><P></P><P>Thanks for the answer. This is also my understanding but was not sure. </P><P></P><P>Mickey</P></BODY></HTML> Mon, 11 Nov 2013 06:39:05 GMT https://community.cisco.com/t5/network-security/when-is-the-ca-server-necesaary/m-p/2389173#M920052 mikik 2013-11-11T06:39:05Z