Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1142
Views
5
Helpful
2
Replies

PKI - IOS CA Router backup

Go to solution
snarayanaraju
Level 4
Level 4

‎05-18-2020 05:54 AM

Hello All - Cisco IOS Router configure as Certificate Authority (CA) Server. There are 800 Branches configure in IPSEC tunnel to Datacenter Router using PKI Certificates.

 

In the event of CA Router crashes or go offline 

1) Will it impact the existing IPSEC Tunnel?

2) What should we plan for a back up in the IOS CA Router to bring the CA in another Hardware?

 

regards,sairam

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-18-2020 06:18 AM

Hello Sairam,

give a read to the following document

https://community.cisco.com/t5/security-documents/ios-ca-basic-deployment-certificate-enrollment-and-signing/ta-p/3120844

 

About your questions:

the IPSec tunnels will not be affected until there isn't the need to consult the failed / offline CA.So for sure you cannot deploy new sites and what happens when the current IPSec SA expire may depend on configuration.

 

2) I don't know if it is even possible to backup a CA, because RSA keys are involved and we have commands to generate RSA keys I don't know if there are commands to import them.

It is a good question.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-18-2020 06:18 AM

Hello Sairam,

give a read to the following document

https://community.cisco.com/t5/security-documents/ios-ca-basic-deployment-certificate-enrollment-and-signing/ta-p/3120844

 

About your questions:

the IPSec tunnels will not be affected until there isn't the need to consult the failed / offline CA.So for sure you cannot deploy new sites and what happens when the current IPSec SA expire may depend on configuration.

 

2) I don't know if it is even possible to backup a CA, because RSA keys are involved and we have commands to generate RSA keys I don't know if there are commands to import them.

It is a good question.

 

Hope to help

Giuseppe

 

Go to solution
snarayanaraju
Level 4
Level 4
In response to Giuseppe Larosa

‎05-18-2020 07:40 AM

Thank you, Giuseppe - Glad to see a reply from you for my post. It helps a lot

I will read the URL you provided and will get back if any question I will have. Thanks again 

 

regards,Sairam

 

0 Helpful
Customers Also Viewed These Support Documents