Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
3
Replies

VPN l2l certificate authentication

Tony JOrdan
Level 1
Level 1

‎10-10-2017 04:00 AM - edited ‎03-12-2019 04:36 AM

Hi everyone,

 

I just wanted to clarify some of the crypto requirements for setting up a l2l vpn.

1. Trustpoint - doeas a trustpoint need only contain an identity / general certificate or is a CA certiifcate required as well ?

2 Trustpoint - does the CA and identity / general certificates have to belong to the same trustpoint reference.

3 Trustpoint - where are the public and private keys stored on flash ?

 

For the pki to work must the devices configured with certs be able to reach the CA server?

Cheers

Tony

 

 

Labels:
0 Helpful
3 Replies 3

GioGonza
Level 4
Level 4

‎10-10-2017 06:17 AM

Hello @Tony JOrdan,

 

Here are the responses: 

 

1. Trustpoint - doeas a trustpoint need only contain an identity / general certificate or is a CA certiifcate required as well?

 

If you are going to install the certificate on a Cisco ASA or Router, you need to have the all chain installed (this includes the Root, Intermidiate and Identity). As you are going to do Site to Site you need to install additionally the Root and/or Intermidiate in order to validate the same. 

 

2 Trustpoint - does the CA and identity / general certificates have to belong to the same trustpoint reference.

 

The trustpoints are for the Identity certificates and each is like this 1 trustpoint = 1 identity. The CA are another kind of trustpoint but you don´t create them. 

 

3 Trustpoint - where are the public and private keys stored on flash ?

 

They are stored on the NVRAM.

 

4 For the pki to work must the devices configured with certs be able to reach the CA server?

 

No, as I said before you need to install the chain for your certificate and the chain for the remote end. 

 

HTH

Gio

0 Helpful

Tony JOrdan
Level 1
Level 1
In response to GioGonza

‎10-10-2017 03:07 PM

 Hi GioGonza,

 

thanks very much for the explanations 

just to be clearer on the CA certificates side of things.

 

In the configuration the CA cert would have to be associated to a trustpoint yes ?

As the CA cert could be associated to a different trustpoint, would that still work ?

 

Cheers

Tony

 

0 Helpful

GioGonza
Level 4
Level 4
In response to Tony JOrdan

‎10-10-2017 03:21 PM

Hello @Tony JOrdan,

 

In the configuration the CA cert would have to be associated to a trustpoint yes ?

 

It depends, if you have a Root Certificate --> Identity >> the associated trustpoint will appear on the Root.

 

if you have a Root --> Intermediate --> Identity >> the associated trustpoint will appear on the Intermediate and not on the Root. 

 

 

As the CA cert could be associated to a different trustpoint, would that still work ?

Yes, the CA cert is on the configuration to validate Identity certificates, so when you receive the connection it will use the CA for validation and it will on all the CA certificates database (it doesn´t matter which truspoint is associated)

 

HTH

Gio

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents