Scaling VPN Tunnels | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

Using pre-shared keys works fine in small VPN environments such as the site-to-site configuration. Larger environments connecting several or even hundreds of VPN tunnels use certificate authorities to provide a more scalable solution than pre-shared keys.

When using CAs, each PIX generates its own public and private key pair. The private key stays privately secured on the PIX, whereas the public key eventually is used to create a digital certificate that is utilized during IKE phase 1 to perform authentication. The certificates are validated against the CA before authentication can succeed. This alleviates the need to manually reconfigure all the systems when the keys change, as in the case when using pre-shared keys. The four basic steps needed to configure CAs are as follows :

Generate RSA key pairs on the PIX.
Obtain the CA's certificate.
Request a signed certificate from the CA with the RSA public key generated on the PIX.
The CA verifies the request and sends the signed certificate back to be installed on the PIX.

Table 12.12 contains a general list of commands used in this process.

Table 12.12. ca Commands

Command	Description
ca generate rsa	This generates RSA key pairs, public keys, and private keys. The public key is sent to the CA.
show ca mypubkey rsa	This displays the public key generated.
ca identity <ca_name>	This command creates a name that identifies the IP address for the CA.
ca configure <ca_name>	This configures the CA identity parameters.
ca authenticate <ca_name>	This obtains the CA's certificate.
show ca certificate	This is used to view the CA's certificate.
ca enroll <ca_name>	This enrolls or sends a request to a CA for a certificate.
ca save all	This saves the certificates.