The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.
The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.
By default, no CA certificate fingerprint is configured for CA certificate authentication.
| Parameter | Description | Value |
|---|---|---|
| md5 | Sets the digital fingerprint algorithm to MD5. NOTE:
SHA1 is recommended for higher security. |
- |
| sha1 | Sets the digital fingerprint algorithm to SHA1. | - |
| fingerprint | Specifies the digital fingerprint value. This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number. |
The digital fingerprint value is a hexadecimal
string of case-insensitive characters.
|
When obtaining a CA certificate, the device uses an algorithm to calculate the CA certificate fingerprint and compares the CA certificate fingerprint with the configured fingerprint. If the two values are the same, the device receives the CA certificate. When verifying a certificate, the device uses the public key of the CA certificate to authenticate the digital signature. If the digital signature can be decrypted, the certificate is verified.
PrecautionsYou can configure an algorithm to calculate the CA certificate fingerprint. If you run the fingerprint command multiple times in the same PKI realm view, only the latest configuration takes effect.