cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1416
Views
0
Helpful
4
Replies

Difference between "crypto pki authenticate and import" command

tschafferx
Level 1
Level 1

Hello Cisco community,

 

As I was building the chain of trust on a router, I realized that there are two commands that seem to do the same.

In order to add the intermediary certificate to a trustpoint I normally would use the command:

crypto pki authenticate subca

After that I would add the router certificate to that trustpoint with the following command:

crypto pki import subca certificate 

 

Here are my questions:

 

1:

 

Could I use the command crypto pki authenticate subca to import the router certificate or does the router do something different with the crypto pki import subca certificate?

 

2:

 

It seems like common practice to create a separate trustpoint for the root certificate and create another one for the subca and the router certificate. What's the idea behind that.

 

Any input is appreciated. Thank you.

4 Replies 4

For question two, you can't combine multiple certificates to single
trustpoint. Having multiple TPs allow to have different settings for them
such as binding private key, crls, ocsp, storage, etc.

PKI import command will allow you to import the certificate but you still
need to authenticate with CA to make sure that certificate is validated. If
you import with authentication, you can still authenticate but you are at
security risk that its invalid certificate.

Hello Mohammed,

 

thank you for your reply. You say that you can't combine multiple certificates into one single trustpoint. 

--> A lot of documentation recommends to put both the Sub-Ca and the Router Certificate into one common trustpoint.

 

Can you comment on that?

Tell me which part isn't clear to explain. The statement mentions to have
seperate cert in each trustpoint which I mentioned.

Hello Mohammed,

 

you mentioned: "For question two, you can't combine multiple certificates to single
trustpoint."

 

The question was, why a lot of documentation suggests to put multiple certificates e.g.  SubCa and Server Certificate into one common trustpoint.

 

Brgrds

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: