Hi Mark, Let me answer with another question :)
How would you configure CA server to have RSA Keys with 2k or 4k length? Can you do that with 'automatic' trustpoint? Regards, Piotr 2011/9/19 Mark Senteza <[email protected]> > Hey all, > > When configuring your IOS router as a CA Server, I've read that you need to > configure that very CA server's trustpoint and authenticate & enroll with > it. > > In the past, every time I've configured a router as a CA server, the > trustpoint is always auto-configured as soon as I "no shutdown" on the CA > server i.e. I never configure the trustpoint on the CA server once I've > setup the CA Server itself. > > I then proceed to configure the other devices that need to enroll with the > CA Server, and they authenticate each other (authentication rsa-sig) > successfully using the certificates when building VPNs. The difference I've > noticed though, when I dont configure the trustpoint on the CA Server is > that with the auto-configured trustpoint on the CA Server, the "enrollment > url" statement isnt there. > > Example: > > crypto pki server R6CASERVER > database url flash: > grant auto > no shutdown > > crypto pki trustpoint R6CASERVER > enrollment url http://6.6.6.6:80 <- in > the auto-configured trustpoint (once you run "no shutdown" above) this > statement doesnt exist > revocation-check crl > > What is everybody else's experience when configuring CA Servers, and what's > the best recommendation for me to adopt going forward ? > > Mark > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
