It doesn't and I didn't say it did. But the router needs to be able to read the certificate from the certificate server so the certificate server will send both to allow clients to use either. Nothing you do on the client or server will stop it from sending both.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Monday, September 20, 2010 10:40 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] fingerprint command in a trustpoint Hi Tyson Even if I configure a different hash algorithm like "sha512", the sha1 and md5 fingerprint are sent. The command reference seems to have a different usage for "hash" command. Please refer to the snippet from http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_f1.html#w p1038298. In the case of normal router, it uses the "hash" specified algorithm to sign it's self-signed cert. In the case of CS, it uses the "hash" specified algorithm to sign the issued certificate. Hence, I feel the hash command can't control the fingerprint hash algorithm. Please let me know, if I am missing something. hash (ca-trustpoint) The hash command in ca-trustpoint configuration mode sets the hash function for the signature that the Cisco IOS client will use to sign its self-signed certificates. This hash setting does not specify what kind of signature the certificate authority (CA) will use when it issues a certificate to this client. hash (cs-server) The hash command in cs-server configuration mode sets the hash function for the signature that the Cisco IOS CA will use to sign all of the certificates issued by the server. If the CA is a root CA, it will use the hash function in its own, self-signed certificate. I configured CA server for "hash sha512" and given below is O/P. sha512 is used for signature router3#sh crypto pki certificates verbose CA Certificate Status: Available Version: 3 Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=cisco Subject: cn=cisco Validity Date: start date: 14:45:34 UTC Sep 20 2010 end date: 14:45:34 UTC Sep 19 2013 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Signature Algorithm: SHA512 with RSA Encryption Fingerprint MD5: C35AB75A B7C11609 F5B619C5 DC214253 Fingerprint SHA1: E4A333F9 1C50C9F9 1B1C6231 632612CA 03B86752 X509v3 extensions: X509v3 Key Usage: 86000000 Digital Signature Key Cert Sign CRL Signature X509v3 Subject Key ID: B3CC881A 0B4D5E03 14C1DC28 31943D3E A633BC7B X509v3 Basic Constraints: CA: TRUE X509v3 Authority Key ID: B3CC881A 0B4D5E03 14C1DC28 31943D3E A633BC7B Authority Info Access: Associated Trustpoints: cisco With regards Kings On Mon, Sep 20, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote: You can configure the hash using the following command: R1(ca-trustpoint)#hash ? md5 use md5 hash algorithm sha1 use sha1 hash algorithm sha256 use sha256 hash algorithm sha384 use sha384 hash algorithm sha512 use sha512 hash algorithm R1(ca-trustpoint)#hash Thus dependent on the hash you choose the fingerprint from the server must match. Thus to be safe the fingerprint is sent in both sha and md5 format. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Monday, September 20, 2010 10:13 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] fingerprint command in a trustpoint I am not getting your point Tyson. With regards Kings On Mon, Sep 20, 2010 at 7:33 PM, Tyson Scott <[email protected]> wrote: Doesn't matter. Both are sent dependent on what you configure. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, September 20, 2010 9:30 AM To: [email protected] Subject: [OSL | CCIE_Security] fingerprint command in a trustpoint Hi all Using "fingerprint" under a trustpoint we can configure the CA server's fingerprint. By doing we need not verify the CA's fingerprint interactively during enrollment. The CA server gives a sha and md5 fingerprint. But it seems either sha or md5 fingerprint can be entered under the trustpoint. router1(config)#crypto pki authenticate cisco Certificate has the following attributes: Fingerprint MD5: 8D1A8193 2A9408AD B940AC90 74D75C66 Fingerprint SHA1: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE Trustpoint Fingerprint: B59A1756 C4DFD302 8AB3A5A1 C5A1F58D 56BFF1BE Certificate validated - fingerprints matched. Trustpoint CA certificate accepted. Any thoughts? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
