Good question.
Well this is my understanding.
The signature seems to be hidden.
Fingerprint or thumbprint is just the hash of the certificate. You can find
sha and md5 hash only and they can't be changed.
The signature hash can be chosed and that sig is encrypted using RSA.
router2#sh crypto ca certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Issuer:
cn=r1
Subject:
Name: router2
hostname=router2
Validity Date:
start date: 07:44:46 UTC Oct 13 2011
end date: 07:44:46 UTC Oct 12 2012
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 360FE194 BE66C883 F9F2AE74 0187B776
Fingerprint SHA1: 1477918C ED605B08 5ADA7DF9 E78E1EF4 B7FC835D
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 20069EB3 E7DEFC67 A1AF2E1C 12ECA413 0199157A
X509v3 Authority Key ID: 7233C609 6136E028 15F44746 240A841D F077BB6A
Authority Info Access:
Associated Trustpoints: cisco
Key Label: router2
With regards
Kings
On Thu, Oct 13, 2011 at 1:41 AM, Imre Oszkar <[email protected]> wrote:
> This is what I thought as well, until I have seen some certificates having
> MD5 as the signature hash algorithm and SHA1 as the fingerprint/thumbprint
> algorithm. Based on this the Fingerprint/thumbprint cannot be the Digital
> signature of the CA.
> What I think now is that the fingerprint is just a simple Hash of the
> certificate, something similar to the Authority Key Identifier or Subject
> Key Identifier which are Hashes of the pubic keys.
>
> But the question is then where is the encrypted hash of the certificate(aka
> digital signature) ?
>
>
> Thannks!
>
>
> On Wed, Oct 12, 2011 at 12:51 PM, waleed ' <[email protected]> wrote:
>
>> I think it is the Fingerprint , it is encrypted using private key of CA
>> server and the client decode using ca public key and make hashing for the
>> certificate and compare withe the decoded finger print
>>
>> ------------------------------
>> Date: Wed, 12 Oct 2011 10:42:20 -0700
>> From: [email protected]
>> To: [email protected]
>> Subject: [OSL | CCIE_Security] Digital certificates
>>
>>
>> Hi guys,
>>
>> In PKI, CA will digitally sign every certificate as a proof that he was
>> the one who emitted the certificate .
>> This means that it will use it's private key to encrypt the hash product
>> of the certificate.
>> Where can I find this information when I look at a certificate? Which
>> component of a certificate is the Digital Signature
>> of the CA.
>>
>> Thanks!
>> Oszkar
>>
>> _______________________________________________ For more information
>> regarding industry leading CCIE Lab training, please visit
>> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
