Some Enrollment Scenarios96 Netscape Certificate Management System Installation and Setup Guide • October 2001Router Enrollment and RevocationCisco routers support the use of certificates for authentication, encryption, andtamper detection with the IP Security (IPSec) protocol. Cisco routers also supportCEP for certificate life-cycle management, as discussed in the previous section.The following steps describe how two routers can use a Certificate Manager toenroll in a PKI and what happens when a router’s certificate is revoked. Thesesteps are shown in Figure 2-7.1. Enroll in PKI. The routers each send a certificate request to the CertificateManager via CEP, and the Certificate Manager issues them certificates. (Any ofthe authentication methods discussed in the previous section can be usedduring enrollment to authenticate the client.)2. Publish certificates. As part of the issuing process, the Certificate Managerpublishes the certificates to the directory. (Publishing occurs only if the router’sDN exists in the publishing directory. This is important for some Cisco routersthat must fetch their certificates from an LDAP directory because flash memoryis not large enough to hold them.) The routers can now authenticate each otherand establish an encrypted channel using IPSec. All TCP/IP communicationpasses through this encrypted channel. From the point of view of otherconnections to each router, they all appear to be sharing the same TCP/IPnetwork.3. Revoke a certificate. After some time has passed, the Certificate Manageragent revokes one of the certificates (for example, after the certificate ownerleaves the company).4. Publish CRL. The Certificate Manager publishes the CRL to the directory.5. Verify certificate. The routers check the CRL as part of their mutualauthentication process. Certificates listed in the CRL are not authenticated, androuters presenting them cannot establish a connection.