Did some invesitgation. With VPN client software and ASA, we have the option for sending the hierarchical chain of certificates but I don't find it with IOS.
Does anyone know the command to enable it on the IOS? With regards Kings On Fri, Sep 2, 2011 at 3:13 PM, Kingsley Charles <[email protected] > wrote: > Hi all > > If I have a VPN router enrolled to subca which is registered to another > subca and that subca is inturn registered to the root. Now I want this > router to push the chain of certificates to the remote peer which is > configured for certificate chain validation. I am not able to push them. Any > thought? > > This is out for CCIE scope :-) > > > Snippet from > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_auth_rev_cert_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1088626 > PKI Certificate Chain Validation > > A certificate chain establishes a sequence of trusted certificates —from a > peer certificate to the root CA certificate. Within a PKI hierarchy, all > enrolled peers can validate the certificate of one another if the peers > share a trusted root CA certificate or a common subordinate CA. Each CA > corresponds to a trustpoint. > > When a certificate chain is received from a peer, the default processing of > a certificate chain path continues until the first trusted certificate, or > trustpoint, is reached. In Cisco IOS Release 12.4(6)T and later releases, an > administrator may configure the level to which a certificate chain is > processed on all certificates including subordinate CA certificates. > > Configuring the level to which a certificate chain is processed allows for > the reauthentication of trusted certificates, the extension of a trusted > certificate chain, and the completion of a certificate chain that contains a > gap. > > *Reauthentication of Trusted Certificates * > > The default behavior is for the router to remove any trusted certificates > from the certificate chain sent by the peer before the chain is validated. > An administrator may configure certificate chain path processing so that the > router does not remove CA certificates that are already trusted before chain > validation, so that all certificates in the chain are re-authenticated for > the current session. > > *Extending the Trusted Certificate Chain* > > The default behavior is for the router to use its trusted certificates to > extend the certificate chain if there are any missing certificates in the > certificate chain sent by the peer. The router will validate only > certificates in the chain sent by the peer. An administrator may configure > certificate chain path processing so that the certificates in the peer's > certificate chain and the router's trusted certificates are validated to a > specified point. > > *Completing Gaps in a Certificate Chai*n > > An administrator may configure certificate chain processing so that if > there is a gap in the configured Cisco IOS trustpoint hierarchy, > certificates sent by the peer can be used to complete the set of > certificates to be validated > > > > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
