All Cisco-Network Study Notes: Authenticating the CA

Authenticating the CA

The abutting footfall is accepting the CA’s accessible key and acceptance its authenticity.This

key is independent in the CA’s own agenda certificate, which is self-signed by the

CA.Therefore, afterwards accepting this certificate, the PIX has to verify that it is using

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 359

some offline method.This can be accomplished by accepting a appropriate appropriate of

the certificate, a “fingerprint,” from the CA’s ambassador (or by added means).A

fingerprint is a assortment of the certificate’s content, and if the affected assortment and

received assortment match, the affidavit is original.The command acclimated on PIX for

requesting the CA’s affidavit is:

ca accredit []

If this command is acclimated with alone one parameter—the CA’s nickname—the

PIX artlessly requests the affidavit from the CA and displays the after-effects of this

action:

PIX1(config)# ca accredit verisign

Certificate has the afterward attributes:

Fingerprint: 1234 1234 5678 CDEF ABCD

The PIX additionally calculates a fingerprint of the accustomed affidavit (10 bytes in

hexadecimal encoding) and displays it. It is accessible again to analyze it with the

known fingerprint to verify actuality of the certificate.The analysis can be

done automatically if the accepted fingerprint is entered as allotment of the command:

PIX1(config)# ca accredit verisign 0123456789abcd012345

Certificate has the afterward attributes:

Fingerprint: 0123 4567 89AB CDEF 5432

%Error in acceptance the accustomed fingerprint. Type advice or '?' for a list

of accessible commands.

In this case, the affected fingerprint (0123 4567 89AB CDEF 5432) and the

expected one (0123 4567 89ab cd01 2345) did not match. So in this case, a certificate

is discarded.The ca accredit command is not stored in the PIX configuration;

there is no charge to accomplish it added than already for anniversary new CA. If the

authority you are application is an RA instead of a CA, it will acknowledgment three certificates:

The RA signing key

The RA encryption key

The CA general-purpose accessible key

The accustomed affidavit is stored in the anamnesis breadth appointed for storing

the firewall’s RSA keys (the accomplished almanac is alleged the RSA accessible key chain) and

can be beheld with the afterward command:

show ca certificate

www.syngress.com

360 Chapter 7 • Configuring Virtual Private Networking

It produces achievement agnate to this:

RA Signature Certificate

Status: Available

Certificate Serial Number: 38231245

Key Usage: Signature

CA Certificate

Status: Available

Certificate Serial Number: 38231256

Key Usage: Not Set

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 38231267

Key Usage: Encryption

CA certificates charge be stored in beam anamnesis application the ca save all command

or they will be absent afterwards a reboot.The address anamnesis command does not save

certificates.