pix VPN with different CA providers?

Discussion in 'Cisco' started by Eugene Vekua, May 25, 2004.

  1. Eugene Vekua

    Eugene Vekua Guest

    Hi,

    I need to establish PKI based VPN with our partner. Both we are using
    PIX firewall devices. I've generated rsa keys and going to enroll my
    pix device with CA.
    Do I need to negotiate and use the same CA as my partner or we can use
    a different - like one Verisign and another Entrust?

    Evgeni
     
    Eugene Vekua, May 25, 2004
    #1
    1. Advertisements

  2. Eugene Vekua

    jt Guest

    Both boxes need the same trustpoint/ rootCA, meaning that the data one box
    pretends to be "authentic"
    must be approved by a third party (CA ) the other box trusts. If it didn't
    anyway, you wouldn't need a CA.

    You can configure several trustpoints, yes. See Cisco.com for details, a
    detailed discussion would
    be outta scope here.

    Greets

    Daniel
     
    jt, May 25, 2004
    #2
    1. Advertisements

  3. this won't work - i think...

    greetings
    dalini
     
    Ives Steglich, May 25, 2004
    #3
  4. Eugene Vekua

    Eugene Vekua Guest

    Still not clear ...
    If I can configure several CA's on PIX why do I need to use the same
    CA on both sides?

    Could they be different but from the list of trusted CAs on each side?

    BTW I did not found any information on Cisco site about possibility to
    configure multiple trustpoints on PIX box. All Cisco scenarios I've
    seen have used same single CA server on both ends.

    Evgeni
     
    Eugene Vekua, May 25, 2004
    #4
  5. Eugene Vekua

    Eugene Vekua Guest

    Still not clear ...
    If I can configure several CA's on PIX why do I need to use the same
    CA on both sides?

    Could they be different but from the list of trusted CAs on each side?

    BTW I did not found any information on Cisco site about possibility to
    configure multiple trustpoints on PIX box. All Cisco scenarios I've
    seen have used same single CA server on both ends.

    Evgeni
     
    Eugene Vekua, May 25, 2004
    #5
  6. Eugene Vekua

    jt Guest

    hi Eugene,

    sorry, mea culpa.
    "at present we do only support one CA on PIX".

    It's only possible with IOS.

    Daniel
     
    jt, May 26, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.