Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
833
Views
0
Helpful
4
Replies
tschafferx
Beginner
Beginner
‎06-13-2019 12:38 AM
‎06-13-2019 12:38 AM

Difference between "crypto pki authenticate and import" command

Hello Cisco community,

 

As I was building the chain of trust on a router, I realized that there are two commands that seem to do the same.

In order to add the intermediary certificate to a trustpoint I normally would use the command:

crypto pki authenticate subca

After that I would add the router certificate to that trustpoint with the following command:

crypto pki import subca certificate 

 

Here are my questions:

 

1:

 

Could I use the command crypto pki authenticate subca to import the router certificate or does the router do something different with the crypto pki import subca certificate?

 

2:

 

It seems like common practice to create a separate trustpoint for the root certificate and create another one for the subca and the router certificate. What's the idea behind that.

 

Any input is appreciated. Thank you.

Labels:
0 Helpful
4 REPLIES 4
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎06-13-2019 02:03 AM
‎06-13-2019 02:03 AM

For question two, you can't combine multiple certificates to single
trustpoint. Having multiple TPs allow to have different settings for them
such as binding private key, crls, ocsp, storage, etc.

PKI import command will allow you to import the certificate but you still
need to authenticate with CA to make sure that certificate is validated. If
you import with authentication, you can still authenticate but you are at
security risk that its invalid certificate.
0 Helpful
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-13-2019 04:38 AM
‎06-13-2019 04:38 AM

Hello Mohammed,

 

thank you for your reply. You say that you can't combine multiple certificates into one single trustpoint. 

--> A lot of documentation recommends to put both the Sub-Ca and the Router Certificate into one common trustpoint.

 

Can you comment on that?

0 Helpful
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
In response to tschafferx
‎06-13-2019 10:59 AM
‎06-13-2019 10:59 AM

Tell me which part isn't clear to explain. The statement mentions to have
seperate cert in each trustpoint which I mentioned.
0 Helpful
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-14-2019 01:09 AM
‎06-14-2019 01:09 AM

Hello Mohammed,

 

you mentioned: "For question two, you can't combine multiple certificates to single
trustpoint."

 

The question was, why a lot of documentation suggests to put multiple certificates e.g.  SubCa and Server Certificate into one common trustpoint.

 

Brgrds

0 Helpful
Latest Contents
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Understanding IP Layer Enforcement on Cisco Umbrella
Created by Meddane on 05-17-2022 03:10 AM
0
0
0
0
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use... view more
Cisco ISE Integration With F5 BIG-IP LTM Load Balancer for G...
Created by Meddane on 05-15-2022 02:24 AM
0
0
0
0
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.   The method used for Guest Access is the Self-Registration. Healt Monitor using HTTP... view more
Cisco ASA 9.714 version SNMP not working in EVE-NG LAB Envir...
Created by waqas.muhammad49 on 05-10-2022 06:56 AM
0
0
0
0
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the... view more
ISE Integration with Eduroam External Server
Created by deepuvarghese1 on 05-09-2022 08:31 PM
3
20
3
20
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad