Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
4
Replies
Highlighted
tschafferx
Beginner
Beginner
‎06-13-2019 12:38 AM
‎06-13-2019 12:38 AM

Difference between "crypto pki authenticate and import" command

Hello Cisco community,

 

As I was building the chain of trust on a router, I realized that there are two commands that seem to do the same.

In order to add the intermediary certificate to a trustpoint I normally would use the command:

crypto pki authenticate subca

After that I would add the router certificate to that trustpoint with the following command:

crypto pki import subca certificate 

 

Here are my questions:

 

1:

 

Could I use the command crypto pki authenticate subca to import the router certificate or does the router do something different with the crypto pki import subca certificate?

 

2:

 

It seems like common practice to create a separate trustpoint for the root certificate and create another one for the subca and the router certificate. What's the idea behind that.

 

Any input is appreciated. Thank you.

Labels:
0 Helpful
4 REPLIES 4
Highlighted
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎06-13-2019 02:03 AM
‎06-13-2019 02:03 AM

For question two, you can't combine multiple certificates to single
trustpoint. Having multiple TPs allow to have different settings for them
such as binding private key, crls, ocsp, storage, etc.

PKI import command will allow you to import the certificate but you still
need to authenticate with CA to make sure that certificate is validated. If
you import with authentication, you can still authenticate but you are at
security risk that its invalid certificate.
0 Helpful
Highlighted
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-13-2019 04:38 AM
‎06-13-2019 04:38 AM

Hello Mohammed,

 

thank you for your reply. You say that you can't combine multiple certificates into one single trustpoint. 

--> A lot of documentation recommends to put both the Sub-Ca and the Router Certificate into one common trustpoint.

 

Can you comment on that?

0 Helpful
Highlighted
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
In response to tschafferx
‎06-13-2019 10:59 AM
‎06-13-2019 10:59 AM

Tell me which part isn't clear to explain. The statement mentions to have
seperate cert in each trustpoint which I mentioned.
0 Helpful
Highlighted
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-14-2019 01:09 AM
‎06-14-2019 01:09 AM

Hello Mohammed,

 

you mentioned: "For question two, you can't combine multiple certificates to single
trustpoint."

 

The question was, why a lot of documentation suggests to put multiple certificates e.g.  SubCa and Server Certificate into one common trustpoint.

 

Brgrds

0 Helpful
Latest Contents
Endpoint purge
Created by craiglebutt on 10-24-2020 06:42 AM
1
0
1
0
We have the Endpoint purge to delete any thing over 365 days, but this wasn't working as standard since in was installedSo disabled and enabled again and this seem to fix it, as had just under 200k endpoints captured. But it removed all clients that ... view more
Script to push/post all static routes on Firepower Managemen...
Created by Dv on 10-24-2020 03:07 AM
0
10
0
10
Problem: When we unregister FTD from FMC and re-register, all the static routes are lost on it. Sometimes device has database corruption, if re-image is the only solution then upon re-image, FTD comes up fresh and we need to configure everything from scra... view more
ASA 5585-X Howo change Secondary Active to Standby without R...
Created by MANFRED LIEBCHEN on 10-23-2020 01:07 AM
5
0
5
0
Hi,I have a very simple question; we have two ASA 5585-X working in Active/Standby Mode with multiuser Contexts.Normally Primary Unit is active for failover group 1 and 2; Secondary Unit is standby !At the moment our Secondary Unit is completely disconnec... view more
CCIE Security and Practical Applications in Today’s Network:...
Created by ciscomoderator on 10-22-2020 11:48 AM
0
0
0
0
Meet the Authors Event - CCIE Security and Practical Applications in Today’s Network: Zero Trust (Live event – Thursday, 29th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris) This event will have place on Thursday 29th, October 2020 at 1... view more
My company uses Microsoft Azure AD, can I sign into Cisco Se...
Created by diddly on 10-22-2020 06:34 AM
0
5
0
5
Question My company uses Microsoft Azure AD, and I sign into all my applications using that account. Can I use that account when I sign in? Answer Yes - all applications that support SecureX sign-on allow direct login with your Microsoft Azure AD accou... view more
Content for Community-Ad

This widget could not be displayed.