encryption of certificates (IOS)

Is there any way to choice the encryption algorithm for Cisco IOS PKI generated certificates? I see that the router will choice some default encryption Algorithms. But what if I want to use 3DES (which is not default) as encryption algorithm for my certificate encryption? I couldent find any good documention for this.

I know I can export the certificates in pem format encrypted with 3des. But this is not what I search for.

Output:

R1#show crypto pki certificates ver
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 04
  Certificate Usage: Signature
  Issuer:
    cn=my.cisco.com
  Subject:
    cn=my.cisco.com   Validity Date:
    start date: 12:10:40 UTC Jan 3 2016
    end   date: 12:10:40 UTC Jan 2 2017
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: MD5 with RSA Encryption

  Fingerprint MD5: AB29BD62 C25A3D6B 60C9899A 9801DE44
  Fingerprint SHA1: 99B399CE 4FD58316 94E9633B 1FA484F9 51DE13AF
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: FB8C03D2 08DFF62B 57308E2A 6F66A2A2 93AD123F
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: FB8C03D2 08DFF62B 57308E2A 6F66A2A2 93AD123F
    Authority Info Access:
  Associated Trustpoints: ciscoca
  Storage: nvram:myca#4CA.cer

Comments

  • Hi,

           The output you highlighted is just a bit confusing, but if you think about the technology it will make sense. The CA's signature is going to be used to sign all client certificates (it's like a stamp), and thus has to be readable (clear-text), and thus it CANNOT be encrypted. Being like a stamp, it means it's a fixed length data derived from some attributes identifying the CA, so it uses a hashing algorithm (default of MD5), which you can change, yes. Once clients will send the certificate request to the CA and receive their certificates with the CA signature, when presenting this certificates to other entities (like in a IPsec VPN to the remote VPN gateway), these entities need to validate the signature, to ensure it belongs to the proper CA that they trust, this is why the CA's signature (the hash) is signed by the CA's private key (which only the CA knows, or should) which comes from an RSA key-pair; the signature is validated buy making use of the CA's public key (which is basically the list of trsuted CA's for browers or the list of authenticated CA's for networking devices).

    Regards,

    Cristian.

Sign In or Register to comment.