Authenticating the CA

The configuration process of trusting a CA is complete only when the CA is authenticated to the MDS switch. The switch must authenticate the CA. It does this by obtaining the self-signed certificate of the CA in PEM format, which contains the public key of the CA. Because the certificate of the CA is self-signed (the CA signs its own certificate) the public key of the CA should be manually authenticated by contacting the CA administrator to compare the fingerprint of the CA certificate.

Note     If the CA being authenticated is not a self-signed CA (that is, it is a subordinate CA to another CA, which itself may be a subordinate to yet another CA, and so on, finally ending in a self-signed CA), then the full list of the CA certificates of all the CAs in the certification chain needs to be input during the CA authentication step. This is called the CA certificate chain of the CA being authenticated. The maximum number of certificates in a CA certificate chain is 10.

Detailed Steps

To authenticate a CA, follow these steps:

  1. Expand Switches > Security, and then select PKI in the Physical Attributes pane.
  2. Click the Trust Point Actions tab in the Information pane.
  3. From the Command field drop-down menu, select the appropriate option.

    4. Available options are caauth, cadelete, certreq, certimport, certdelete, pkcs12import, and pkcs12export. The caauth option is provided to authenticate a CA and install its CA certificate or certificate chain in a trust point.

  4. Click the Browse button in the URL field and select the appropriate import certificate file from the Bootflash Files dialog box. It is the file name containing the CA certificate or chain in the bootflash:filename format.

    5. Note     You can authenticate a maximum of 10 trust points to a specific CA.

    Note     If you do not see the required file in the Import Certificate dialog box, make sure that you copy the file to bootflash. See "Copying Files to Bootflash" topic.

  5. Click Apply Changes to save the changes.

    6. Authentication is then confirmed or not confirmed depending on whether or not the certificate can be accepted after manual verification of its fingerprint.


Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.