IPsec Virtual Private Networks (VPNs) are realizing their potential to offer a high performance, functional alternative to costly dial- and leased-line based WANs. Small VPN deployments are fairly easy to manage in terms of the generation and management of suitable encryption keys and identity information; however, it becomes more difficult to generate and track unique cryptography information as a VPN grows. Larger scale VPNs require a more scalable and secure infrastructure to ease deployment and management burdens. Public Key Infrastructure (PKI) responds to this requirement for scalability and security, but presents its own challenges of complexity and cost. The integrated Certificate Server in Cisco IOS® Software addresses such challenges with a simple, scalable, easy-to-manage certification authority, which is built into the same hardware supporting the IPsec VPN.
IPsec networks employ encryption and authentication mechanisms to ensure data confidentiality and integrity. These cryptography mechanisms, such as the DES, 3DES, and AES encryption algorithms and SHA-1 and MD5 hash algorithms for data signing, use key information derived mathematically from information distributed to the devices and users that will be communicating over encrypted channels. Small deployments can easily employ shared secrets as the key information. Shared secrets are effectively simple passwords configured on both ends of the secured connection. As encrypted networks grow more complex, the task of managing unique shared secrets grows more complex with the addition of every encryption peer, particularly in networks employing "full mesh" cryptographic peering.
PKI reduces the workload necessary to manage key information by automating the distribution of cryptographic material. Unfortunately, a PKI is frequently expensive to purchase and deploy, which can potentially require the addition of support staff. Commercial PKIs frequently offer substantially more capability and functionality than many customers require, making it difficult to justify the high cost of the technology.
Cisco IOS Software Release 12.3(4)T introduced a Certificate Server that offers functionality for issuing digital certificates for router-based network security. This new feature allows a Cisco IOS Software router to issue and revoke x.509 digital certificates, easily resolving the issue of requiring a costly and difficult-to-administer third-party certification authority. The initial phase of the Certificate Server fulfills the need to issue certificates to other Cisco IOS Software routers for IPsec VPNs and other encryption and identity services in a single-level hierarchy.
Certificate Server supports the distribution of Certificate Revocation Lists (CRL) via the Cisco IOS Software SCEP server for smaller networks. For larger networks, an external server for CRL distribution is encouraged to reduce load on the Certificate Server router. The Certificate Server can issue a large volume of certificates; the X.509 serial-number field is the only limitation for the maximum, offering the capability to issue millions of certificates. Varying platforms will process different numbers of certificate requests over a given period of time, depending on router load, processor speed, and memory availability. Certificate Validation does not cause additional load on the Certificate Server router besides responding to CRL retrieval requests.
The Certificate Server reduces the cost and simplifies the deployment for IPsec VPNs. Rather than purchasing digital certificates from an online vendor (Verisign), or installing a certification authority (Entrust, Microsoft), Cisco IOS Software offers an integrated solution at no additional cost.
The Certificate Server offers a simple deployment procedure to make the server available in a short time. No additional hardware is required beyond the router at a central site in small deployments. Larger deployments may demand a separate router for certificate enrollment, and a web server for certificate revocation distribution.
Digital certificates inherently enhance network encryption security, because they are so difficult to compromise, and their automated, network-based revocation systems, which render a certificate useless in the event the certificate's validity is terminated.
The Certificate Server offers a secure facility for deploying encryption key information through compliance with the x.509v3 standards for digital certificate generation and distribution. Clients may enroll online via the HTTP-based SCEP standard, or offline via manual cut-and-paste or TFTP for greater security where the Certificate Server is not available on the public network. The Certificate Server may be configured to automatically grant all certificate requests, or manual certificate request approval can be configured for greater control over certificate issuing.