Yet they say in there White Papers that digital certificate authentication with IOS CA is the answer for enterprises to deploy VPN solutions ;)
From: Kingsley Charles [mailto:[email protected]] Sent: Friday, June 01, 2012 12:47 AM To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Listing issued certificates on IOS CA I knew, this will be your reply. Doing it for 80 clients would be difficult. Cisco developed IOS CA server for a small scale not for an enterprise. With regards Kings On Fri, Jun 1, 2012 at 1:01 PM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: I knew about this, Kings. It's not very user-friendly. This is how the nvram content of CA server looks like: R6#dir nvram: Directory of nvram:/ 236 -rw- 2255 <no date> startup-config 237 ---- 24 <no date> private-config 238 -rw- 2255 <no date> underlying-config 1 -rw- 0 <no date> ifIndex-table 2 ---- 80 <no date> persistent-data 3 -rw- 2945 <no date> cwmp_inventory 6 -rw- 32 <no date> IOS-CA.ser 7 -rw- 802 <no date> 0x1.crt 8 -rw- 72 <no date> 0x1.cnm 9 -rw- 403 <no date> IOS-CA.crl 10 -rw- 2411 <no date> IOS-CA_00001.p12 13 -rw- 706 <no date> 0x2.crt 14 -rw- 94 <no date> 0x2.cnm 15 -rw- 689 <no date> 0x3.crt 16 -rw- 84 <no date> 0x3.cnm 17 -rw- 709 <no date> 0x4.crt 18 -rw- 94 <no date> 0x4.cnm 19 -rw- 757 <no date> 0x5.crt 20 -rw- 94 <no date> 0x5.cnm 21 -rw- 760 <no date> 0x6.crt 22 -rw- 94 <no date> 0x6.cnm Can you imagine 80+ remote devices with their respective HEX file names? How would one know which is which? Let's say the remote device is compromised or even stolen. The CA administrator will need to quickly find the serial number of the certificate issued to this device in question. It all creates some overhead on the CA admin to keep a mapping of certificates S/N and the devices hostnames. Not very appealing option as opposed to Microsoft CA where one can quickly consult Issued certificates and find the needed one based on the device hostname. Eugene From: Kingsley Charles [mailto:[email protected]<mailto:[email protected]>] Sent: Friday, June 01, 2012 12:00 AM To: Eugene Pefti Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Listing issued certificates on IOS CA You can. Have "database level complete" configured. There you can check for the .cnm file which have the enrolled host's subject name and the crt file will have the issued cert. With regards Kings On Fri, Jun 1, 2012 at 8:24 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Hi guys, I wonder if I can see client cerificates issued by the IOS CA on the router acting as CA. Of course I have a way to see the file names in the database but I need to see the hostname of the client that enrolled and received a certificate. Preparing an RFP to the client of ours and thinking of deploying an IOS based CA for their 80+ remote sites connecting to the hub HQ. Being able to revoke a certificate quickly and easily is important. Eugene Sent from iPhone _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
