PKI for Network Engineers (9/?): Elliptic Curve Setup

Greetings fellow networkers,

In this installment of PKI for network engineers, we’re going to build up our two tier Elliptic Curve PKI hierarchy in one shot.  There are a lot of tasks, but only a few of them differ from our RSA setup.  I’ll highlight those below.

  1. Cryptographic service provider and Hash algorithm.
    1. I’m using ECDSA 384 and SHA384
      1. Although the Microsoft CA supports 521 bit EC Keys, Cisco IOS maxes at 384
  2. No NDES/SCEP.  NDES supports RSA only for in-band device enrollment
    1. There is a new standard called EST (enrollment over secure transport)
      1. IOS and IOS-XE support EST as clients
      2. There’s an open source project called libEST you can use to test.
      3. Cisco ISE as of version 2.2 supports EST
  3. Web enrollment doesn’t support version 3 or 4 templates
    1. When duplicating templates, be aware of this fact
  4. Mind your signatures and public key algorithms.
    1. RSA public keys can be signed by a EC CA and vice versa.  Keep this in mind when creating your templates and take care to test them and inspect your certificates to make sure you’re getting what you think you’re getting




Settings, scriptlets, helpful text blocks:


Leave a Reply