Hi
I have a two-tier CA architecture - an offline root CA, which signs the certificates of two online issuing CAs.
In order to get this to work, I need to authenticate BOTH the issuing CA *and* the root CA on the VPN endpoints (IOS routers) - using the command 'crypto ca authenticate' twice - once with a trustpoint for the root CA and again with the trustpoint for the issuing CA.
However, this requires that, in order to set up IPSec with CAs, I require network access to the root CA - preventing me from taking it offline.
Is there any way around this - can I 'trust' the root CA's certificate without having access to it over the network?
Any ideas/links will be very much appreciated.
Cheers,
Matt