You can configure the hash using the following command:
R1(ca-trustpoint)#hash ? md5 use md5 hash algorithm sha1 use sha1 hash algorithm sha256 use sha256 hash algorithm sha384 use sha384 hash algorithm sha512 use sha512 hash algorithm R1(ca-trustpoint)#hash Thus dependent on the hash you choose the fingerprint from the server must match. Thus to be safe the fingerprint is sent in both sha and md5 format. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Monday, September 20, 2010 10:13 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] fingerprint command in a trustpoint I am not getting your point Tyson. With regards Kings On Mon, Sep 20, 2010 at 7:33 PM, Tyson Scott <[email protected]> wrote: Doesn't matter. Both are sent dependent on what you configure. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, September 20, 2010 9:30 AM To: [email protected] Subject: [OSL | CCIE_Security] fingerprint command in a trustpoint Hi all Using "fingerprint" under a trustpoint we can configure the CA server's fingerprint. By doing we need not verify the CA's fingerprint interactively during enrollment. The CA server gives a sha and md5 fingerprint. But it seems either sha or md5 fingerprint can be entered under the trustpoint. router1(config)#crypto pki authenticate cisco Certificate has the following attributes: Fingerprint MD5: 8D1A8193 2A9408AD B940AC90 74D75C66 Fingerprint SHA1: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE Trustpoint Fingerprint: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. Any thoughts? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
