The CA's role in the authentication process is to act as the keeper of digital certificates.The ITU-T X.509v3 standard defines the format and contents of a digital certificate.Digital certificates contain information about a device that can be used to authenticate it and contain three basic pieces of information: To provide redundancy when using certificates and CAs, a CA can implement one or more registration authorities (RAs). RAs cannot generate certificates for devices, but they can pass out existing certificates for validation purposes, as well as Certificate Revocation Lists (CRLs), discussed later.Cisco IOS routers support the following CA products, among others: I have used both Microsoft products with great success.Therefore, if your router fails and you replace it, you need to generate new keys for the new router and share the new public key with your current peers.After your peer has generated his public/private keys, you need to obtain his public key out of band and then configure this on your router.However, because it uses a single symmetric key value for authentication, it is less secure than RSA encrypted nonces, which uses asymmetric keys (public and private).If you specified your IKE Phase 1 authentication method with parameter, two sets of public/private key combinations are created: one for the signature and one for encryption.
If the peer has more than one IP address, I recommend using the parameter, this is treated as a wildcard; all remote peers must use this key when authenticating.The Simple Certificate Enrollment Protocol (SCEP) is one of two methods that you can use to obtain certificate information on your router.SCEP occurs in-band and provides a quick way of obtaining a certificate.To configure the peer's public key on your router, use the following configuration: command, you need to configure both.
If you do not specify the type of key, it defaults to signature.
I highly recommend that you not use this trick because, if one peer becomes compromised, all your peers are compromised.