PKI Resiliency
Sometimes, routers experience hardware failures, or an administrator might accidentally lose information on a router. If this router is the certificate authority, a key part of the network infrastructure is compromised. Consequently, a method should exist to recover from such events without resulting in a catastrophic failure.
Certificate Authority Resiliency
The certificate authority is the key piece to consider for a resilient PKI. There are several files on a CA server to consider, including the following:
- Database file contains the RSA keys and local certificate.
- The .Ser file has the last serial number issued by the CA.
- The .CRL file contains the list certificates that have been revoked.
The default location for file storage is on the local NVRAM. For maximum resiliency, it is considered best practice to use an external FTP server to store these files. This external server should not be used for anything else and should have reachability only from the CA servers. Resiliency practices for mission critical servers should be applied to this server. Example 3-15 shows optionally placing the CRL file in a different location than the URL file. The CRL file by default would be stored in the same location as the database file.
Example 3-15. Configuring an External FTP Server
3845-root-ca# show run
crypto pki server root-ca
database archive pkcs12 password {password}
database url ftp://172.26.129.252
database url crl ftp://172.26.129.252
If a router fails, a new router should be available to become the new CA. The steps to restore are simple:
- Step 1. Import the database file using the command crypto pki import {root-ca name} pkcs12 ftp://{x.y.z.w} {password}.
- Step 2. Paste the configuration that is a common and recommended standard practice to be backed up regularly. Using this method the restoration process is simple and straight forward.