DMVPN Question on Spoke CA keys

FLOYD SALAZAR · ‎05-20-2011

Question:

In commissioning a Hub and Spoke Architecture in a DMVPN design.

My question for each spoke router that is looking to authenticate into the network with CA nodes does each router create its own RSA key.

Here is the configuration for each spoke:

Generate RSA key pair;
         config t
         crypto key generate rsa label <spoke-keys>
            (generate 512 bit RSA keys)

    ii/ Configure enrollment on Spoke router to Hub network
        config t
            crypto pki trustpoint ra
            enrollment url http://A.B.C.D:80
            revocation-check none
            auto-enroll 70 regenerate
            rsakeypair <spoke-keys>
            exit

So does each Spoke router have to create a unique key to authenticate to RA-HUB node?

ie. spoke-key = each spoke new number 20 spokes equals 20 different spoke-keys.

Not sure and need some insight.

Giuseppe Larosa · ‎05-21-2011

Hello Floyd,

for security reasons each spoke should deploy its own RSA keys so that a compromised device does not expose other systems.

the use of PKI allows for scalability:

in a case of spoke to spoke dynamic tunnel is enough that both can produce a digital certificate signed by the same trusted CA in order to authenticate each other.

nowdays you can setup a CA over a router for example without the need to deploy a dedicated server

see

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv.html

Hope to help

Giuseppe