cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5194
Views
0
Helpful
2
Replies
gucakrtalic
Beginner

Authenticate and/or import certificate from other vendoor

Hi,

I have to configure following security scenario:

On CISCO:

- Add CA server(CA1) certificate which certificates peer host

- Add CISCO certificate retreived from CA server (CA2)

So I used following:

crypto pki trustpoint CA_ROOT

enrollment terminal

usage ssl-server

revocation-check none

and manually done authentification of CA server (CA1) certificate.

This is how it looks like:

AS67129(config)#crypto pki authenticate CA_ROOT

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIIB5zCCAZGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBKMREwDwYDVQQKEwhFcmlj

c3NvbjEPMA0GA1UECxMGQUwvRVRFMSQwIgYDVQQDExtURVNUIENBIGZvciBDUFAg

U0NFUCBzZXJ2ZXIwHhcNMDkxMDIyMDgzNzQxWhcNMTkxMDIwMDgzNzQxWjBYMQsw

CQYDVQQGEwJTRTEUMBIGA1UEChMLRXJpY3Nzb24gQUIxDzANBgNVBAsTBkFML0VU

RTEiMCAGA1UEAxMZU3ViQ0EgZm9yIENQUCBTQ0VQIFNlcnZlcjCBnzANBgkqhkiG

9w0BAQEFAAOBjQAwgYkCgYEA3bR1yEyvrYDafqGSxZTUNcHW8OozdNO4ZKoMFZww

4twVoC3mBvQxOYvEcC8YFgtxZVVynLzL1j/rEVyCIuGaTj5X7fNc9N7qDZMq1XQ/

HY8t+aBesvwrzjPKjt7rQ2P90B4w4uEjImGTyhmlGRlFx6XKz1ISMvGK+GLDtFlU

XqMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJxunpng

k6diona1Bn65ToH5nu67D4N/PlABuFy86PhN9UyY+bHockyspoGDmgHle1zX1b2i

nSGRkopq2MDqM3s=

-----END CERTIFICATE-----

quit

Trustpoint 'CA_ROOT' is a subordinate CA and holds a non self signed cert

Certificate has the following attributes:

       Fingerprint MD5: CF5E3F6A 6BD0F348 3612B785 1259241C

      Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

Is it needed now running command:

crypto pki import CA_ROOT certificate


What is the difference between authenticate and import ?

Result of this import command is that certificate is not signed by CISCO's private key.

Currently private key for CISCO not exists.

Imported certificate is generated by SCEP server which will provide certificate for peer host in

IpSec tunnel setup.

Thanks

Renato

1 ACCEPTED SOLUTION

Accepted Solutions
rkumar5
Beginner

Hi Renato.

The command crypto pki authenticate CA_ROOT is to authenticate the certification authority (CA) (by getting the certificate of the CA)

This command is required when you initially configure CA support at your router.

This command authenticates the CA to your router by obtaining the  self-signed certificate of the CA that contains the public key of the  CA. Because the CA signs its own certificate, you should manually  authenticate the public key of the CA by contacting the CA administrator  when you enter this command.

In the following example, the router requests the certificate of the CA.  The CA sends its certificate and the router prompts the administrator  to verify the certificate of the CA by checking the CA certificate's  fingerprint. The CA administrator can also view the CA certificate's  fingerprint, so you should compare what the CA administrator sees to  what the router displays on the screen. If the fingerprint on the  router's screen matches the fingerprint viewed by the CA administrator,  you should accept the certificate as valid.

Router(config)# crypto pki authenticate myca


Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

Do you accept this certificate? [yes/no] y#

crypto pki import name certificate is to import the identity certificate on the router.

Here is the link taht you can follow

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1044348

HTH

Regards

Raj Kumar

                                          Please rate all helpful posts

View solution in original post

2 REPLIES 2
rkumar5
Beginner

Hi Renato.

The command crypto pki authenticate CA_ROOT is to authenticate the certification authority (CA) (by getting the certificate of the CA)

This command is required when you initially configure CA support at your router.

This command authenticates the CA to your router by obtaining the  self-signed certificate of the CA that contains the public key of the  CA. Because the CA signs its own certificate, you should manually  authenticate the public key of the CA by contacting the CA administrator  when you enter this command.

In the following example, the router requests the certificate of the CA.  The CA sends its certificate and the router prompts the administrator  to verify the certificate of the CA by checking the CA certificate's  fingerprint. The CA administrator can also view the CA certificate's  fingerprint, so you should compare what the CA administrator sees to  what the router displays on the screen. If the fingerprint on the  router's screen matches the fingerprint viewed by the CA administrator,  you should accept the certificate as valid.

Router(config)# crypto pki authenticate myca


Certificate has the following attributes:

Fingerprint: 0123 4567 89AB CDEF 0123

Do you accept this certificate? [yes/no] y#

crypto pki import name certificate is to import the identity certificate on the router.

Here is the link taht you can follow

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c5.html#wp1044348

HTH

Regards

Raj Kumar

                                          Please rate all helpful posts

View solution in original post

Hi Raj Kumar,

Thank You on the explanation. It helped me a lot since I've never been working with certificates on CISCO.

I finally managed to add certificates on my CISCO 2951 router.

Many thanks

BR
Renato