Crypto PKI - Import/Copy of multiple ca certificates into certificate chain fails (subordinate ca cert and root ca cert)
I have a certificate chain that was issued by an intermediate CA and the certificate chain consists of the router identity certificate, the subordinate ca certificate, and the root ca certificate. The router identity certificate was issued by the subordinate CA. I am currently unable to install both the subordinate ca cert and the root ca cert so they are both installed in the router. If I try the import method then I am told to delete one ca certificate before installing the other; if I try to copy the hex values that show up in running config directly into a certificate chain the second and third certificates to be copied simply overwrite the rest so there remains only one certificate in the certificate chain which is the last one to be copied. I have also read that the whole certificate chain needs to be validated up to the root and that the root certificate can not be installed via an AIA; rather it must be either copied into the router or available from microsoft(which it is not). Does anyone know the procedure to install the whole certificate chain into a router? The two platforms that will need this setup are ASR 1000 and 3945 routers.
I found out the solution. By default only a single certificate will be allowed in a single trustpoint. There is an option for <chain-valication> for a certificate and the default is <chain-validation stop> which means that if you have a subordinate CA configured in the trustpoint and you trust it validation stops there. If you wanted to verify a whole certificate chain to include the root, then you would choose <chain-validation continue trustpointx> and reference a different trustpoint where you would import your root CA certificate.
Enterprise Routing Business Unit is glad to announce Beta release 16.12.2 for all Routing Platforms such as ASR1K, ISR1K, ISR4K, ISRv, CSR1K Platforms. This release is made available to allow users to test, evaluate and share fee...
Meet the Authors Event - Peter Paluch, Co-author of CCIE Routing and Switching v5.0 Official Cert Guide, Volume 1
(Live event – Wednesday, October 30th, 2019 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This will have place on Wednesday 30...
ENCS 5400 is a purpose built compute platform for branch networking. Multiple VNFs (virtual network functions) can be hosted in the ENCS platform with flexible connectivity options.
There are multiple Layer2 software and hardware entities in a typi...
Cisco SD-Access fabric provides many optimizations to improve unicast traffic flow, and to reduce the unnec...
how do we restrict a router interfaces from directly connected to Some vlans? can any one help me to figureout?the question is Router should not have interfaces directly connected to Vlan 30 and Vlan 40