Home > Articles > Cisco Network Technology > General Networking > PKI Processes and Procedures

PKI Processes and Procedures

Chapter Description

Several processes need to occur in a PKI network for a deployment to function smoothly. To address these processes, this chapter covers enrollment, Certificate Expiration and Renewal, Certificate Verification and Enforcement, and PKI Resiliency.


Many processes need to occur in the background of a PKI for things to run smoothly. Some considerations are enrollment, certificate renewal, certificate verification and enforcement, and resiliency. This chapter discussed manual enrollment and SCEP, which is a network-based enrollment process and is preferred where ever possible because enrollment over the network is much simpler to implement.

For certificate renewal, consider two elements: the CA certificate expiring and the spoke certificate expiring. To renew the CA certificate, the IOS feature rollover is used that creates a shadow certificate on the CA server that is valid at the moment of the current certificate's expiration. For the spoke, an auto-enrollment certificate renewal feature is used. At a time in which is a certain percentage "X" of the lifetime has passed, the spoke requests a new certificate.

Certificate verification and enforcement is required to make sure certificates presented during authentication are valid. Two principal methods are used for this enforcement, plus a third authorization-based method that is adapted to provide similar functionality. The approaches are CRL, OCSP, and AAA integration. CRL lists provide a list of revoked certificates and is supported by IOS CA. However, CRLs are not real time and may take many hours for information to be propagated about the expiration of a certificate. OCSP is real time, however, is not supported on IOS CA and requires third-party servers. Integration with AAA provides a method of authorization that is real time.

Authentication occurs as usual, and authorization enforcement can determine if network access is permitted. The disadvantage of this approach is that the AAA server needs to have information for all certificates in the network.

Another important process for any network device is what to do if a device must be restored. If you follow leading practices that dictate using an external FTP server to store the database, restoring an IOS CA is straightforward. The steps involved in restoration are twofold; import the database file and copy-paste the old configuration on to the new IOS CA server.