
encryption of certificates (IOS)
Is there any way to choice the encryption algorithm for Cisco IOS PKI generated certificates? I see that the router will choice some default encryption Algorithms. But what if I want to use 3DES (which is not default) as encryption algorithm for my certificate encryption? I couldent find any good documention for this.
I know I can export the certificates in pem format encrypted with 3des. But this is not what I search for.
Output:
R1#show crypto pki certificates ver
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 04
Certificate Usage: Signature
Issuer:
cn=my.cisco.com
Subject:
cn=my.cisco.com Validity Date:
start date: 12:10:40 UTC Jan 3 2016
end date: 12:10:40 UTC Jan 2 2017
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: AB29BD62 C25A3D6B 60C9899A 9801DE44
Fingerprint SHA1: 99B399CE 4FD58316 94E9633B 1FA484F9 51DE13AF
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: FB8C03D2 08DFF62B 57308E2A 6F66A2A2 93AD123F
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: FB8C03D2 08DFF62B 57308E2A 6F66A2A2 93AD123F
Authority Info Access:
Associated Trustpoints: ciscoca
Storage: nvram:myca#4CA.cer
Comments
Hi,
The output you highlighted is just a bit confusing, but if you think about the technology it will make sense. The CA's signature is going to be used to sign all client certificates (it's like a stamp), and thus has to be readable (clear-text), and thus it CANNOT be encrypted. Being like a stamp, it means it's a fixed length data derived from some attributes identifying the CA, so it uses a hashing algorithm (default of MD5), which you can change, yes. Once clients will send the certificate request to the CA and receive their certificates with the CA signature, when presenting this certificates to other entities (like in a IPsec VPN to the remote VPN gateway), these entities need to validate the signature, to ensure it belongs to the proper CA that they trust, this is why the CA's signature (the hash) is signed by the CA's private key (which only the CA knows, or should) which comes from an RSA key-pair; the signature is validated buy making use of the CA's public key (which is basically the list of trsuted CA's for browers or the list of authenticated CA's for networking devices).
Regards,
Cristian.