Monday, December 28, 2009

EZVPN with certificates.

Recently I posted about IOS CA, taking this further I enrolled one router of mine to one sub CA and other router to other sub CA. Is that even at all possible? The certificates share a common chain...

They share a common CA - but have different OU field.

Server:
----------------------------------
ez-server#sh cry ca cert
Certificate
  Issuer:
    cn=SUBCA1.cisco.com
    ou=LAB
  Subject:
    Name: ez-server.cisco.com
CA Certificate
  Issuer:
    cn=CA.cisco.com
    ou=LAB
  Subject:
    cn=SUBCA1.cisco.com
    ou=LAB
----------------------------------

Client cert:
------------------------------
ez-client#sh cry pki cert
Certificate
  Issuer:
    cn=SUBCA2.cisco.com
    ou=LAB1
  Subject:
    Name: ez-client.cisco.com
CA Certificate
  Issuer:
    cn=CA.cisco.com
    ou=LAB
  Subject:
    cn=SUBCA2.cisco.com
    ou=LAB1
 ------------------------------
Already wrong? Damn...
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rsa.html#wp1056030
"The content of the first Organizational Unit (OU) field will be used as the group."

No comments: