Re: Select from multiple certificates when crypto pki authenticate tru

zsion · ‎08-22-2024

Hi folks,

I have an enrollment URL which sends 2 certificates to a Cisco-IE3400 when we authenticate the trustpoint (crypto pki authenticate MyTrustpoint). We would like to use the 2nd certificate from the message, but the router seems to process only the first one. Even when specifying the fingerprint before authenticating the certificate will not be accepted because it seems that the device processes only the first certificate.

In our use-case the enrollment URL will send the root and the intermediary certificates in a single message to the router.

Is it possible to select from the certificates when authenticating, or to process both certificates from the message?

ccieexpert · ‎08-22-2024

hi authenticate and enroll are two different things.

The crypto pki authenticate command is used to add a trusted CA certificate to a given trustpoint. Each trustpoint can be authenticated a single time. That is, a trustpoint can only contain a single CA root or intermediate certificate. Running the command a second time and adding a new cert will overwrite the first certificate.

If you want to have a 2nd CA certificate, then create another trustpoint for that.

What are you trying to accomplish ? are you trying to have two certs for the switch or two CA certs like a CA and a subordinate ca ?

It may be better to do manual enrollment if you want to get a specific ca cert ?

Please explain further..

zsion · ‎08-22-2024

Hi. I really appreciate the quick response, thanks you. On crypto pki authenticate the message I'm getting back from the CA contains 2 certificates, not just a single one. Is there any way to configure the Cisco router to select between the certificates, or it will always select the first one detected in the message?

Select from multiple certificates when crypto pki authenticate trustp