Yet they say in there White Papers that digital certificate authentication with 
IOS CA is the answer for enterprises to deploy VPN solutions ;)

From: Kingsley Charles [mailto:[email protected]]
Sent: Friday, June 01, 2012 12:47 AM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Listing issued certificates on IOS CA

I knew, this will be your reply. Doing it for 80 clients would be difficult.

Cisco developed IOS CA server for a small scale not for an enterprise.

With regards
Kings
On Fri, Jun 1, 2012 at 1:01 PM, Eugene Pefti 
<[email protected]<mailto:[email protected]>> wrote:
I knew about this, Kings.
It's not very user-friendly. This is how the nvram content of CA server looks 
like:

R6#dir nvram:
Directory of nvram:/

  236  -rw-        2255                    <no date>  startup-config
  237  ----          24                    <no date>  private-config
  238  -rw-        2255                    <no date>  underlying-config
    1  -rw-           0                    <no date>  ifIndex-table
    2  ----          80                    <no date>  persistent-data
    3  -rw-        2945                    <no date>  cwmp_inventory
    6  -rw-          32                    <no date>  IOS-CA.ser
    7  -rw-         802                    <no date>  0x1.crt
    8  -rw-          72                    <no date>  0x1.cnm
    9  -rw-         403                    <no date>  IOS-CA.crl
   10  -rw-        2411                    <no date>  IOS-CA_00001.p12
   13  -rw-         706                    <no date>  0x2.crt
   14  -rw-          94                    <no date>  0x2.cnm
   15  -rw-         689                    <no date>  0x3.crt
   16  -rw-          84                    <no date>  0x3.cnm
   17  -rw-         709                    <no date>  0x4.crt
   18  -rw-          94                    <no date>  0x4.cnm
   19  -rw-         757                    <no date>  0x5.crt
   20  -rw-          94                    <no date>  0x5.cnm
   21  -rw-         760                    <no date>  0x6.crt
   22  -rw-          94                    <no date>  0x6.cnm

Can you imagine 80+ remote devices with their respective HEX file names? How 
would one know which is which? Let's say the remote device is compromised or 
even stolen. The CA administrator will need to quickly find the serial number 
of the certificate issued to this device in question. It all creates some 
overhead on the CA admin to keep a mapping of certificates S/N and the devices 
hostnames. Not very appealing option as opposed to Microsoft CA where one can 
quickly consult Issued certificates and find the needed one based on the device 
hostname.

Eugene


From: Kingsley Charles 
[mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, June 01, 2012 12:00 AM
To: Eugene Pefti
Cc: [email protected]<mailto:[email protected]>
Subject: Re: [OSL | CCIE_Security] Listing issued certificates on IOS CA

You can.

Have "database level complete" configured. There you can check for the .cnm 
file which have the enrolled host's subject name and the crt file will have the 
issued cert.

With regards
Kings
On Fri, Jun 1, 2012 at 8:24 AM, Eugene Pefti 
<[email protected]<mailto:[email protected]>> wrote:
Hi guys,
I wonder if I can see client cerificates issued by the IOS CA on the router 
acting as CA. Of course I have a way to see the file names in the database but 
I need to see the hostname of the client that enrolled and received a 
certificate. Preparing an RFP to the client of ours and thinking of deploying 
an IOS based CA for their 80+ remote sites connecting to the hub HQ. Being able 
to revoke a certificate quickly and easily is important.

Eugene
Sent from iPhone
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to