03-01-2011 05:27 AM
Hello,
We are configuring Windows 2008 Certificate Authority for distributing certificates to the routers in order to create Site-to-Site IPSec tunnel authentication. For redundancy of the CA Design, it would be a good choice if we could configure more than 1 trust points on the CLI of the router?
If the Primary CA is lost, the router should renew or authenticate its certificate from the second trusted CA when it expires. If it is possible to enter priority for these CAs, it would also possibe to load-balance.
Otherwise we should use a hardware load balancer or NLB Services,
Thanks in Advance,
Best Regards,
03-01-2011 09:34 AM
Hi,
There is no problem to have multiple trustpoints to multiple (or even same) CAs.
What you can do is to bind trustpoint to particular isakmp profile, while this is not a completly fool proof method or redundancy, it is a way to pick one of them to validate peer.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c1.html#wp1052663
The actual behavior is to send valid certificate information in MM3 or MM4 in CERT_REQ payloads.
As far as I know there is no way to enroll on demand based on a trigger (save for running a EEM script), but you can maybe investigare provisioning ... SDP used to be the way.
(Most of people avoid this, due to being relateively complex)
Marcin
03-01-2011 09:50 AM
Hello Marcin,
The link is a good way to seperate trustpoints according to router groups (e.g. region or model), it will provide load balancing for sure. It would be far better if there is a way to configure 2 trustpoints for redundancy, if one of them is not available, use the second trustpoint. By this way it would also be possible to load-balance as well by interchanging the priorities.
The second link is the same as the first link, does the complex way provide redundancy as well?
As a workaround, we thought of configuring a DNS A record with a TTL of 1 hour, and if there is a problem with the primary subordinate CA, manually changing the A record to the backup will direct the router to the secondary subordinate CA within 1 hour, which uses host names to resolve the subordinate IP address. The failover time is enough because the certificate renewal time is generally more than this duration.
Best Regards,
03-02-2011 09:07 AM
Hi,
(I changed the second link)
I think I'm missing something.Just changing the A recrod would would make things fail, there could be moment where you autehnticate cert from CA A at CA B (CRL/LDAP A record changed whatever?).
I don't believe you can built redundancy with two certificates in a failover scanario, not with IPsec which will use and all available and applicable certificates.
Why not concentrate on having the (mostly) CRL and the CA (only for re-enrollment) highly available instead?
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide