In large-scale DMVPN environments, managing pre-shared keys becomes increasingly inefficient and insecure. Public Key Infrastructure (PKI) offers a scalable and robust alternative. By leveraging certificates for authentication, routers can securely establish IPSec tunnels without relying on manually distributed keys.
Core PKI Components on IOS
A typical PKI environment includes several components: a Certificate Authority (CA), public-private key pairs, and certificates. Cisco IOS routers can act as both certificate clients and certificate authorities (CAs). The IOS CA uses an RSA key pair for signing certificates.
To configure an IOS router as a CA, the following command is used:
crypto pki server cs-label
Here, cs-label is the custom name assigned to the certificate server. Once entered, a submenu is presented, allowing additional configuration such as CRL distribution, database parameters, certificate lifetimes, and more.
Key PKI Server Configuration Commands
Some of the common subcommands under crypto pki server include:
- auto-rollover – Rotates the CA key and certificate automatically.
- cdp-url – Specifies the CRL distribution point URL.
- grant auto – Automatically grants certificate requests (useful for lab/test environments).
- database – Defines where the CA stores issued certificate information.
- issuer-name – Customizes the distinguished name (DN) of the CA.
- lifetime – Specifies how long certificates and CA credentials remain valid.
- no shutdown – Activates the CA server.
To enable the CA, you must also enable HTTP:
ip http server
This is required for certificate enrollment protocols like SCEP (Simple Certificate Enrollment Protocol).
Generating and Managing Keys
RSA and EC (Elliptic Curve) key pairs can be generated using:
crypto key generate rsa modulus crypto key generate ec keysize 256 | 384
To import keys:
crypto key import rsa key-label pem crypto key import ec key-label
Keys can be deleted with:
crypto key zeroize rsa key-label
NTP is highly recommended for time synchronization, as accurate timestamps are essential for certificate validation.
Trustpoint Configuration and Enrollment
The trustpoint is the logical object representing a CA on the router. To configure a trustpoint:
crypto pki trustpoint CA-NAME enrollment url http://CA-IP/ (for SCEP) rsakeypair key-label
You can enroll using:
crypto pki authenticate CA-NAME crypto pki enroll CA-NAME
This process downloads the CA certificate and submits a CSR (certificate signing request) for the router. The router will then receive its signed identity certificate from the CA.
For secure and automated environments, you can enable EST (Enrollment over Secure Transport) with:
crypto pki profile enrollment profile-name method-est enrollment credential trustpoint enrollment url secure-CA-url
Hashing and Revocation Options
Cisco IOS supports multiple hashing algorithms for certificate signing. Stronger algorithms like SHA-384 and SHA-521 are Next Generation Encryption (NGE) and preferred. Legacy options like SHA1 and MD5 should be avoided in production.
Revocation can be configured using:
- CRL (Certificate Revocation List) – Default method.
- OCSP (Online Certificate Status Protocol) – Enables real-time revocation checking.
Configure revocation behavior under the trustpoint as:
revocation-check [crl | none | ocsp]
Putting It All Together – CA and Enrollment Process
To set up a router as a CA:
1. Enable HTTP and set NTP or manual time.
2. Generate keys:
crypto key generate rsa modulus 1024 label KEY-LAB
3. Configure and start CA:
crypto pki server CA-NAME grant auto database level minimum issuer-name cn=hq.cisco.local lifetime ca-certificate 3650 no shut
On the spoke or client routers:
1. Generate keys:
crypto key generate rsa modulus 2048 label KEY-LAB
2. Create a trustpoint:
crypto pki trustpoint NAME rsakeypair KEY-LAB subject-name cn=branch1.cisco.local enrollment url http://192.0.2.20
3. Authenticate and enroll:
crypto pki authenticate NAME crypto pki enroll NAME
Integration with ISAKMP and IPSec
Once certificates are in place, integrate with your VPN by modifying your IKE policy:
crypto isakmp policy 5 hash md5 authentication rsa-sig
Verify with:
show crypto isakmp sa detail show crypto pki certificate
PKI integration with DMVPN enables automated, scalable, and secure authentication for large-scale VPN networks. It eliminates the pain of managing static keys and provides a trusted framework for device identity, especially when combined with features like DMVPN Phase 3 and FlexVPN.
