cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


203
Views
5
Helpful
1
Replies
Highlighted
Beginner

Why is an intermediate CA Trustpoint required?

When uploading a new identity certificate you are required to upload the intermediate signing certificate as well. My question is since the CA is contained within the identity certificate why is it necessary to upload the CA independently as well? I would assume that the ASA would implicitly trust the certificate it has the private key for.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: Why is an intermediate CA Trustpoint required?

The intermediate CA cert is not contained inside the identity cert. The identity cert contains only a reference to the name of the issuing CA. The public key of the CA only comes when you install the CA cert into the ASA.

 

Also, the reason for this step is not for the ASA to trust the identity certificate. When the ASA acts an SSL/TLS server, the client connecting to it would receive the ASA's identity certificate as a part of the SSL handshake. Part of the client's validation process is to verify if the ASA's cert is issued by a CA that is trusted. If the ASA has the intermediate cert installed , it will send both identity and intermediate cert to the client. In a lot of cases, the client only has the top level root certs installed in its trusted store. With the intermediate cert from the ASA, it can then build the chain of trust all the way from identity to root certs

1 REPLY 1
VIP Advocate

Re: Why is an intermediate CA Trustpoint required?

The intermediate CA cert is not contained inside the identity cert. The identity cert contains only a reference to the name of the issuing CA. The public key of the CA only comes when you install the CA cert into the ASA.

 

Also, the reason for this step is not for the ASA to trust the identity certificate. When the ASA acts an SSL/TLS server, the client connecting to it would receive the ASA's identity certificate as a part of the SSL handshake. Part of the client's validation process is to verify if the ASA's cert is issued by a CA that is trusted. If the ASA has the intermediate cert installed , it will send both identity and intermediate cert to the client. In a lot of cases, the client only has the top level root certs installed in its trusted store. With the intermediate cert from the ASA, it can then build the chain of trust all the way from identity to root certs