Showing results for 
Search instead for 
Did you mean: 


Mikael Gustafsson

Hi all,

Im trying to get a general idea on what best practices there is for securing Internet-facing Sub-CA servers in a DMVPN.

For example:

What is done to control that only the Spokes are allowed to request a certificate?

What should be considered if the Sub-CA is a Microsoft CA server instead of a Cisco router? Pros and Cons here?

General tips. :-)


2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee


In general:

- Host CDP/CRL externally not on CA/subCA (make sure CA/subCA writes it to external location and make sure this location has some fault tollerance!!).

Like this temporary failure of CA/SubCA or CDP location will not cause a meltdown. 

- Protect CA/subCAs, you can use RA

- Staged approach. For example: Use one set of CA/subCAs to establish initial management tunnel, enroll to PROTECTED CA/SubCA over management tunnel. Form data tunnel protected by authentication using the protected CA/subCA.

- Use DNS and not IP addresses.

- edit: Use SCEP, and make sure you CA/subCA supports enrollment and re-enrollment via SCEP. It saves a lot of time managing.

- MS CA is a good one and getting better, but used to allow some flexability where it should not (in structuring of certificates).

- Explot RSA keys and certificates from CAs and subCAs (and RAs?) and store them somewhere secure (possibly one shut down PC somewhere in PC with disc encryption) Repeat the process every time they change. Make it easier to recover from certain failures.

Plan on deploying FlexVPN rather then DMVPN, unless you have some compelling arguments for DMVPN (like old platform support). 

A few tips form top my head,


More questions :-)

About authenticate the spoke before requesting a certificate how would I do that?

Is there a more then a staged approach? Like a fixed password etc?

Thinking of both IOS CA ans MS CA.

Do you know of any config examples for a staged approach?



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: