Hi Tyson
Even if I configure a different hash algorithm like "sha512", the sha1 and
md5 fingerprint are sent. The command reference seems to have a different
usage for "hash" command. Please refer to the snippet from
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_f1.html#wp1038298
.
In the case of normal router, it uses the "hash" specified algorithm to
sign it's self-signed cert.
In the case of CS, it uses the "hash" specified algorithm to sign the
issued certificate.
Hence, I feel the hash command can't control the fingerprint hash algorithm.
Please let me know, if I am missing something.
*hash (ca-trustpoint) *
The *hash *command in ca-trustpoint configuration mode sets the hash
function for the signature that the Cisco IOS client will use to sign its
self-signed certificates. This hash setting does not specify what kind of
signature the certificate authority (CA) will use when it issues a
certificate to this client.
*hash (cs-server) *
The *hash* command in cs-server configuration mode sets the hash function
for the signature that the Cisco IOS CA will use to sign all of the
certificates issued by the server. If the CA is a root CA, it will use the
hash function in its own, self-signed certificate.
I configured CA server for "hash sha512" and given below is O/P. sha512 is
used for signature
router3#sh crypto pki certificates verbose
CA Certificate
Status: Available
Version: 3
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=cisco
Subject:
cn=cisco
Validity Date:
start date: 14:45:34 UTC Sep 20 2010
end date: 14:45:34 UTC Sep 19 2013
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: SHA512 with RSA Encryption
Fingerprint MD5: C35AB75A B7C11609 F5B619C5 DC214253
Fingerprint SHA1: E4A333F9 1C50C9F9 1B1C6231 632612CA 03B86752
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: B3CC881A 0B4D5E03 14C1DC28 31943D3E A633BC7B
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: B3CC881A 0B4D5E03 14C1DC28 31943D3E A633BC7B
Authority Info Access:
Associated Trustpoints: cisco
With regards
Kings
On Mon, Sep 20, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote:
> You can configure the hash using the following command:
>
>
>
> R1(ca-trustpoint)#hash ?
>
> md5 use md5 hash algorithm
>
> sha1 use sha1 hash algorithm
>
> sha256 use sha256 hash algorithm
>
> sha384 use sha384 hash algorithm
>
> sha512 use sha512 hash algorithm
>
>
>
> R1(ca-trustpoint)#hash
>
>
>
> Thus dependent on the hash you choose the fingerprint from the server must
> match. Thus to be safe the fingerprint is sent in both sha and md5 format.
>
>
>
> Regards,
>
>
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
>
> Managing Partner / Sr. Instructor - IPexpert, Inc.
>
> Mailto: [email protected]
>
> Telephone: +1.810.326.1444, ext. 208
>
> Live Assistance, Please visit: www.ipexpert.com/chat
>
> eFax: +1.810.454.0130
>
>
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
> training locations throughout the United States, Europe, South Asia and
> Australia. Be sure to visit our online communities at
> www.ipexpert.com/communities and our public website at www.ipexpert.com
>
>
>
> *From:* Kingsley Charles [mailto:[email protected]]
> *Sent:* Monday, September 20, 2010 10:13 AM
> *To:* Tyson Scott
> *Cc:* [email protected]
> *Subject:* Re: [OSL | CCIE_Security] fingerprint command in a trustpoint
>
>
>
> I am not getting your point Tyson.
>
> With regards
> Kings
>
> On Mon, Sep 20, 2010 at 7:33 PM, Tyson Scott <[email protected]> wrote:
>
> Doesn't matter. Both are sent dependent on what you configure.
>
>
>
> Regards,
>
>
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
>
> Managing Partner / Sr. Instructor - IPexpert, Inc.
>
> Mailto: [email protected]
>
> Telephone: +1.810.326.1444, ext. 208
>
> Live Assistance, Please visit: www.ipexpert.com/chat
>
> eFax: +1.810.454.0130
>
>
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
> training locations throughout the United States, Europe, South Asia and
> Australia. Be sure to visit our online communities at
> www.ipexpert.com/communities and our public website at www.ipexpert.com
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Kingsley Charles
> *Sent:* Monday, September 20, 2010 9:30 AM
> *To:* [email protected]
> *Subject:* [OSL | CCIE_Security] fingerprint command in a trustpoint
>
>
>
> Hi all
>
> Using "fingerprint" under a trustpoint we can configure the CA server's
> fingerprint. By doing we need not verify the CA's fingerprint interactively
> during enrollment. The CA server gives a sha and md5
> fingerprint. But it seems either sha or md5 fingerprint can be entered
> under the trustpoint.
>
> router1(config)#crypto pki authenticate cisco
> Certificate has the following attributes:
> Fingerprint MD5: 8D1A8193 2A9408AD B940AC90 74D75C66
> Fingerprint SHA1: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE
> Trustpoint Fingerprint: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE
> Certificate validated - fingerprints matched.
> Trustpoint CA certificate accepted.
>
>
> Any thoughts?
>
> With regards
> Kings
>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
