cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1355
Views
5
Helpful
1
Replies

Why is an intermediate CA Trustpoint required?

Matt
Level 1
Level 1

When uploading a new identity certificate you are required to upload the intermediate signing certificate as well. My question is since the CA is contained within the identity certificate why is it necessary to upload the CA independently as well? I would assume that the ASA would implicitly trust the certificate it has the private key for.

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

The intermediate CA cert is not contained inside the identity cert. The identity cert contains only a reference to the name of the issuing CA. The public key of the CA only comes when you install the CA cert into the ASA.

 

Also, the reason for this step is not for the ASA to trust the identity certificate. When the ASA acts an SSL/TLS server, the client connecting to it would receive the ASA's identity certificate as a part of the SSL handshake. Part of the client's validation process is to verify if the ASA's cert is issued by a CA that is trusted. If the ASA has the intermediate cert installed , it will send both identity and intermediate cert to the client. In a lot of cases, the client only has the top level root certs installed in its trusted store. With the intermediate cert from the ASA, it can then build the chain of trust all the way from identity to root certs

View solution in original post

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

The intermediate CA cert is not contained inside the identity cert. The identity cert contains only a reference to the name of the issuing CA. The public key of the CA only comes when you install the CA cert into the ASA.

 

Also, the reason for this step is not for the ASA to trust the identity certificate. When the ASA acts an SSL/TLS server, the client connecting to it would receive the ASA's identity certificate as a part of the SSL handshake. Part of the client's validation process is to verify if the ASA's cert is issued by a CA that is trusted. If the ASA has the intermediate cert installed , it will send both identity and intermediate cert to the client. In a lot of cases, the client only has the top level root certs installed in its trusted store. With the intermediate cert from the ASA, it can then build the chain of trust all the way from identity to root certs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: