cisco handbook

cisco handbook.V cannot verify the signature on the CA's root certificate until it has the real public key. In order to solve the "chicken and egg" problem, you can first download the root certificate and then verify the authenticity of the CA's root certificate by out-of-band means (e.g., by making a phone call). In this way, after downloading the root certificate and checking the hash value, you can call the administrator of the root CA and ask him to tell you the hash value of the root certificate. If the hash value learned by phone matches the hash value seen on the digital certificate, the previously downloaded certificate is valid (provided that the phone number dialed is correct and the caller is the administrator of the real CA), and then you can use the public key contained in the certificate to verify the root certificate signed by the CA. The process of obtaining and installing a CA root certificate is often referred to as authenticating the CA's identity.Once you have authenticated the CA and have its root certificate intact, you can request your own certificate of identity (from the CA). This involves having the CA generate a public-private key pair for itself, and having the CA attach its own public key when requesting its own certificate of identity (from others). The owner of the ID book can be either a device or a person. Once the request is made to the CA, the CA obtains all the information about the applicant, generates the certificate of identity (including its public key), and then sends the certificate back to the applicant. If this step is all done electronically, how do you verify that the certificate of identity received is actually issued by the trusted CA server? The answer is simple. The CA not only issues the certificate, but also has its signature on the certificate.6.3 PKI Basics 313 name. Since the CA server has been previously authenticated and has a copy of its root digital certificate containing the public key, the applicant can verify the CA's digital signature on its own ID book. If the CA's signature is valid, the applicant knows that the received ID book is valid and can then install and use the certificate.6.3.6 Public Key Cryptography Standards There are many standards used by PKI, and a number of them have Public Key Cryptography Standard (PKCS) numbers. Some of these standards are used to control the format and use of certificates, including controlling requests to CAs for new certificates, the format of files to be used as new identity certificates, and the file format and usage permissions of certificates. The development of these standards facilitates interoperability between the various CA servers and the many different CA clients.Some of the standards with which the reader should be familiar are shown below by Foucaulti, covering a variety of separate protocols as well as the various protocols used to handle digital certificate certificates. PKCS#1: RSA encryption standard. PKCS#3; Diffie-Hellman Key Exchange. PKCS#7: Defines a format that the CA will use as a response to a PKCS#10 request. The responseitself is most likely to be a previously requested certificate of identity (or certificate). PKCS#10: defines a format for a certificate request sent to a CAO that wants to receive its own certificate of identity This request contains the public key of the entity that wishes to obtain the certificate. PKCS#12: defines a format for storing public and private keys, using cryptographically based symmetric keys, in order to "unlock" the data when the key is needed for use or access.6.3.7 Simple Certificate Registration Protocol. It is appropriate to authenticate the identity of the CA server, generate (for the CA server) the public key. private key pair, requesting the certificate of identity, and verifyingThe process of requesting and installing a certificate of identity can be divided into several steps. Cisco and several other vendors have collaborated to develop the Simple CertificateEnrollment Protocol (SCEP), which automates a large part of the process of requesting and installing a certificate of identity. Although this protocol is not an open standard, it is still supported by most Cisco devices and makes it very easy to obtain and install root certificates and Certificates of Identity.6.3.8 Revocation of Digital Certificates If a device with a Certificate of Identity is no longer in use, or if a device with a digital certificate is compromised and it can be determined that the device's private key information is no longer "exclusive" to it, the CA can be requested to revoke the certificate previously issued to the device. This gives rise to a unique problem. Under normal circumstances, two devices can perform mutual authentication without the aid of a CA.