Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
698
Views
0
Helpful
4
Replies
tschafferx
Beginner
Beginner
‎06-13-2019 12:38 AM
‎06-13-2019 12:38 AM

Difference between "crypto pki authenticate and import" command

Hello Cisco community,

 

As I was building the chain of trust on a router, I realized that there are two commands that seem to do the same.

In order to add the intermediary certificate to a trustpoint I normally would use the command:

crypto pki authenticate subca

After that I would add the router certificate to that trustpoint with the following command:

crypto pki import subca certificate 

 

Here are my questions:

 

1:

 

Could I use the command crypto pki authenticate subca to import the router certificate or does the router do something different with the crypto pki import subca certificate?

 

2:

 

It seems like common practice to create a separate trustpoint for the root certificate and create another one for the subca and the router certificate. What's the idea behind that.

 

Any input is appreciated. Thank you.

Labels:
0 Helpful
4 REPLIES 4
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎06-13-2019 02:03 AM
‎06-13-2019 02:03 AM

For question two, you can't combine multiple certificates to single
trustpoint. Having multiple TPs allow to have different settings for them
such as binding private key, crls, ocsp, storage, etc.

PKI import command will allow you to import the certificate but you still
need to authenticate with CA to make sure that certificate is validated. If
you import with authentication, you can still authenticate but you are at
security risk that its invalid certificate.
0 Helpful
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-13-2019 04:38 AM
‎06-13-2019 04:38 AM

Hello Mohammed,

 

thank you for your reply. You say that you can't combine multiple certificates into one single trustpoint. 

--> A lot of documentation recommends to put both the Sub-Ca and the Router Certificate into one common trustpoint.

 

Can you comment on that?

0 Helpful
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
In response to tschafferx
‎06-13-2019 10:59 AM
‎06-13-2019 10:59 AM

Tell me which part isn't clear to explain. The statement mentions to have
seperate cert in each trustpoint which I mentioned.
0 Helpful
tschafferx
Beginner
Beginner
In response to Mohammed al Baqari
‎06-14-2019 01:09 AM
‎06-14-2019 01:09 AM

Hello Mohammed,

 

you mentioned: "For question two, you can't combine multiple certificates to single
trustpoint."

 

The question was, why a lot of documentation suggests to put multiple certificates e.g.  SubCa and Server Certificate into one common trustpoint.

 

Brgrds

0 Helpful
Latest Contents
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
IntroductionPrerequisitesConfiguration Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
FMC API | ACP - Delete disabled rules and generate report.
Created by Anupam Pavithran on 05-06-2021 06:48 AM
0
5
0
5
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.   Preparation Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach... view more
FMC API | ACP Double logging detection and mitigation script
Created by Anupam Pavithran on 05-06-2021 06:09 AM
0
5
0
5
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 ) Also, the logging at the begging will be disabled if logging is detected for both beginning ... view more
Content for Community-Ad