Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
3
Helpful
5
Replies

Authentication of Intermediate and Root CAs

Go to solution
AdamB32212
Level 1
Level 1

‎08-29-2023 02:40 PM

We are using Cisco CUBEs and we have a question about how certificates are authenticated.

Given two CUBEs loaded with certificate files where the Root CA is the same but intermediate CAs are different, will those CUBEs be able to establish TLS? Or will we need a new Trustpoint with each other's intermediate CA?

Also, is there a command to see which specific certificates are offered during a TLS handshake?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎08-30-2023 06:31 AM

Welcome to Certificate Chain Validation. My understanding after re-reading the documentation is that the default behavior looks for the first/lowest CA in the chain provided by the peer that is trusted by the router and then stops. That could be the root if that's the only thing you created a trustpoint for, skipping over the intermediate CA(s). If you want IOS to validate the full chain of intermediate(s) and the root you need to include chain-validation continue <root CA trustpoint> in the intermediate CA trustpoint(s). FWIW- This command is part of my personal best practices, but I like to nerd out on PKI stuff.

While on the topic of certificate validation, my understanding is that IOS only processes CRLs by default for the revocation status check. Most public CAs use OCSP these days with CRLs serving as a legacy backup mechanism. You need to use revocation-check ocsp crl on the trustpoint if you want the router to use OCSP and fallback to CRLs. Check the certificate first to ensure it has the AIA (OCSP) and CDP (CRL) attributes though.

As for viewing the specific certs offered: I tend to use the embedded packet capture filtered to the IP of the far end - and SIP TLS port if there are active calls to avoid RTP traffic. It's really easy to see the cert chain sent/received in the TLS Server Hello packet in Wireshark.

View solution in original post

Go to solution
AdamB32212
Level 1
Level 1
In response to Jonathan Schulenberg

‎08-30-2023 06:51 AM

Thank you for the "Certificate Chain Validation" link! While I searched for the answer, I did not find it somehow. So essentially Root CA is enough, unless configured otherwise, which is perfect. 

The packet capture - yes, I was aware of it, just thought there might be some additional way to make the router spit out the information specific to the certificates. But this is good enough, we'll just use wireshark to analyze the .pcap.

I will leave the post open until Noon just in case anyone has a working experience with this and then I will close the topic as resolved.

Thank you!

 

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Roger Kallberg
VIP
VIP

‎08-29-2023 10:28 PM

AFAIK you would need to have the intermediate certificate present in the trust store to be able to form the TLS trust. On your other question, I don’t know if there are any command present for seeing what certificate(s) are used in the handshake. Likely there are debug(s) where this can be seen, but I don’t know which specifically they are as I’ve never needed to look into this.



Response Signature


Go to solution
M02@rt37
VIP
VIP

‎08-29-2023 11:38 PM - edited ‎08-29-2023 11:38 PM

Hello @AdamB32212,

...is there a command to see which specific certificates are offered during a TLS handshake?

Try #debug ssl ? 

Check the option given in the output.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
AdamB32212
Level 1
Level 1
In response to M02@rt37

‎08-30-2023 06:21 AM

I'll give it a try. Thank you!

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎08-30-2023 06:31 AM

Welcome to Certificate Chain Validation. My understanding after re-reading the documentation is that the default behavior looks for the first/lowest CA in the chain provided by the peer that is trusted by the router and then stops. That could be the root if that's the only thing you created a trustpoint for, skipping over the intermediate CA(s). If you want IOS to validate the full chain of intermediate(s) and the root you need to include chain-validation continue <root CA trustpoint> in the intermediate CA trustpoint(s). FWIW- This command is part of my personal best practices, but I like to nerd out on PKI stuff.

While on the topic of certificate validation, my understanding is that IOS only processes CRLs by default for the revocation status check. Most public CAs use OCSP these days with CRLs serving as a legacy backup mechanism. You need to use revocation-check ocsp crl on the trustpoint if you want the router to use OCSP and fallback to CRLs. Check the certificate first to ensure it has the AIA (OCSP) and CDP (CRL) attributes though.

As for viewing the specific certs offered: I tend to use the embedded packet capture filtered to the IP of the far end - and SIP TLS port if there are active calls to avoid RTP traffic. It's really easy to see the cert chain sent/received in the TLS Server Hello packet in Wireshark.

Go to solution
AdamB32212
Level 1
Level 1
In response to Jonathan Schulenberg

‎08-30-2023 06:51 AM

Thank you for the "Certificate Chain Validation" link! While I searched for the answer, I did not find it somehow. So essentially Root CA is enough, unless configured otherwise, which is perfect. 

The packet capture - yes, I was aware of it, just thought there might be some additional way to make the router spit out the information specific to the certificates. But this is good enough, we'll just use wireshark to analyze the .pcap.

I will leave the post open until Noon just in case anyone has a working experience with this and then I will close the topic as resolved.

Thank you!

 

 

 

0 Helpful
Customers Also Viewed These Support Documents