Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
0
Helpful
3
Replies

Is More than one Trust Point possible for Certificate Authority Services

canero
Level 1
Level 1

‎03-01-2011 05:27 AM

Hello,

We are configuring Windows 2008 Certificate Authority for distributing certificates to the routers in order to create Site-to-Site IPSec tunnel authentication. For redundancy of the CA Design, it would be a good choice if we could configure more than 1 trust points on the CLI of the router?

If the Primary CA is lost, the router should renew or authenticate its certificate from the second trusted CA when it expires. If it is possible to enter priority for these CAs, it would also possibe to load-balance.

Otherwise we should use a hardware load balancer or NLB Services,

Thanks in Advance,

Best Regards,

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-01-2011 09:34 AM

Hi,

There is no problem to have multiple trustpoints to multiple (or even same) CAs.

What you can do is to bind trustpoint to particular isakmp profile, while this is not a completly fool proof method or redundancy, it is a way to pick one of them to validate peer.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c1.html#wp1052663

The actual behavior is to send valid certificate information in MM3 or MM4 in CERT_REQ payloads.

As far as I know there is no way to enroll on demand based on a trigger (save for running a EEM script), but you can maybe investigare provisioning ... SDP used to be the way.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_setup_SDP_piki_ps6441_TSD_Products_Configuration_Guide_Chapter.html

(Most of people avoid this, due to being relateively complex)

Marcin

0 Helpful

canero
Level 1
Level 1

‎03-01-2011 09:50 AM

Hello Marcin,

The link is a good way to seperate trustpoints according to router groups (e.g. region or model), it will provide load balancing for sure. It would be far better if there is a way to configure 2 trustpoints for redundancy, if one of them is not available, use the second trustpoint. By this way it would also be possible to load-balance as well by interchanging the priorities.

The second link is the same as the first link, does the complex way provide redundancy as well?

As a workaround, we thought of configuring a DNS A record with a TTL of 1 hour, and if there is a problem with the primary subordinate CA, manually changing the  A record to the backup will direct the router to the secondary subordinate CA within 1 hour, which uses host names to resolve the subordinate IP address. The failover time is enough because the certificate renewal time is generally more than this duration.

Best Regards,

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to canero

‎03-02-2011 09:07 AM

Hi,

(I changed the second link)

I think I'm missing something.Just changing the A recrod would would make things fail, there could be moment where you autehnticate cert from CA A at CA B (CRL/LDAP A record changed whatever?).

I don't believe you can built redundancy with two certificates in a failover scanario, not with IPsec which will use and all available and applicable certificates.

Why not concentrate on having the (mostly) CRL and the CA (only for re-enrollment) highly available instead?

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents