Cisco IOS Certificate Server vs. MS CA Server?

HumperHumper Member Posts: 647
What are the pros/cons of using the Cisco CA server versus Microsoft? Im doing a lab for DMVPN :D
Now working full time!

Comments

  • HumperHumper Member Posts: 647
    I have furthered my reading a bit...


    From: Comparing, Designing, and Deploying VPNs , Cisco Press

    The choice of which Cisco IOS router to use as the certificate server depends largely on the (free) CPU and memory capacity of the routers in the VPN. You should always ensure that the Cisco IOS certificate server is deployed on a router with plenty of spare memory and CPU capacity (the router is relatively lightly loaded) and that this router is easily accessible from all of the gateways in the IPsec VPN. You should also take into account additional bandwidth requirements at the site where the certificate server is deployed, particularly if there are a large number of IPsec VPN gateways and the CRL grows to a large size.

    Assuming that files (including the CRL) are stored locally, the router configured as the Cisco IOS certificate server will not only need to be available to issue certificates to new gateways and to renew existing gateways' certificates, but also to provide the CRL to gateways when they negotiate IKE and need to verify the revocation status of peer gateways' certificates.
    Now working full time!
  • YossarianYossarian Member Posts: 14 ■□□□□□□□□□
    Humper wrote:
    What are the pros/cons of using the Cisco CA server versus Microsoft? Im doing a lab for DMVPN :D

    I've never used the Cisco CA in production, so I can't comment on it.

    I do use the Microsoft CA and it was an easy decision to make when deciding how to authenticate VPN users. The SCEP add-on for the MS CA makes things pretty simple. I would recommend this option if you already have a MS CA on your domain.

    *edit* I guess a better way to put what I wrote above is this. If you already have a PKI in place(MS CA, OpenSSL), why use the Cisco CA?
  • HumperHumper Member Posts: 647
    Yossarian wrote:
    Humper wrote:
    What are the pros/cons of using the Cisco CA server versus Microsoft? Im doing a lab for DMVPN :D

    I've never used the Cisco CA in production, so I can't comment on it.

    I do use the Microsoft CA and it was an easy decision to make when deciding how to authenticate VPN users. The SCEP add-on for the MS CA makes things pretty simple. I would recommend this option if you already have a MS CA on your domain.

    *edit* I guess a better way to put what I wrote above is this. If you already have a PKI in place(MS CA, OpenSSL), why use the Cisco CA?

    It was something to use at home here because I didn't have the MS CA server available to me.
    Now working full time!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I agree with Yossarian. I have used the Cisco router CA in lab and test environments, but I wouldn't use it in production unless I had no other choice (a network with no suitable server for certificate services.)
    The only easy day was yesterday!
  • HumperHumper Member Posts: 647
    dtlokee wrote:
    I agree with Yossarian. I have used the Cisco router CA in lab and test environments, but I wouldn't use it in production unless I had no other choice (a network with no suitable server for certificate services.)

    Yup, exactly what it was for...a lab environment, because I didn't have the MS server at home to use with dynamips.

    I'm labbing at work so the world is good again :D
    Now working full time!
Sign In or Register to comment.