I've been researching various implementations of VPNs with digital certs and can't find a solution for my environment. For a VPN, I have two PIXs, each with one Windows 2003 server behind it. These servers can be set up as independent CAs since there is no root here. I want to enable digital certificates due to key management and security. This is a closed network and the PIXs cannot communicate with a third party. How can I implement certs in this architecture?1) Can trusted certs get "placed" on a PIX so the PIX can authenticate another PIX based on an incoming connection?
2) I read somewhere that one of these servers can be used to validate certs using a pre-shared key to establish a seure connection and tunnel through the firewall to verify (no public access allowed). One this handshake is complete, another key is dynamically generated that is used to generate the actual VPN for the session.
Can anyone provide insight, ideas, and guidelines on something that would work here? Thanks!