Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
2
Replies

When is the CA server necesaary?

Go to solution
mikik
Level 1
Level 1

‎11-10-2013 12:57 PM - edited ‎02-21-2020 05:02 AM

Hi:

I have  a hub and spoke network with PKI based security.  My question is , during normal operations , after certificates after been issued and the spoke routers have SA associations set up, are  there any more  communications with the CA server? Assuming that the hub and spoke routers  are constantly communicating is there a need for the CA server? Even is the communication between  a hub router a spoke router have to be renewed, is the CA server involved? As long as the certificates don't expire, is the CA server involved?

  thanks

Mickey

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-10-2013 02:02 PM

In general, the CA is only needed when a new certificate has to be issued. The normal IPSec-tunnel-setup doesn't need the CA at all.

But: When the tunnel-setup is done, the hub (or even both hub and spoke) can be configured to compare the serial-number of the presented certificate against a list of revoked certificates (a CRL, Certificate Revocation List). Although not a best practice, this list is often served by the CA. If your PKI is configured that way, then the CA has to be online all the time. If best practice was followed while setting up the CA, the CRL is published to a different server and the CA only has to be online when new certificates are issued or a new CRL is published. Here the server hosting the CRL has to be online all the time.

Similar concept, instead of a CRL you could use the Online Certificate Status Protolol (OCSP), but here is the same, instead of running that service on the CA it's better to use a different system for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-10-2013 02:02 PM

In general, the CA is only needed when a new certificate has to be issued. The normal IPSec-tunnel-setup doesn't need the CA at all.

But: When the tunnel-setup is done, the hub (or even both hub and spoke) can be configured to compare the serial-number of the presented certificate against a list of revoked certificates (a CRL, Certificate Revocation List). Although not a best practice, this list is often served by the CA. If your PKI is configured that way, then the CA has to be online all the time. If best practice was followed while setting up the CA, the CRL is published to a different server and the CA only has to be online when new certificates are issued or a new CRL is published. Here the server hosting the CRL has to be online all the time.

Similar concept, instead of a CRL you could use the Online Certificate Status Protolol (OCSP), but here is the same, instead of running that service on the CA it's better to use a different system for that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
mikik
Level 1
Level 1
In response to Karsten Iwen

‎11-10-2013 10:39 PM

Hi:

Thanks for the answer. This is also my understanding but was not sure.

Mickey

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card