Concept Guide
The Root CA generates a private key and a self-signed CA certicate.
The Intermediate CA generates a private key and a Certicate Signing Request (CSR).
Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certicate for the Intermediate CA. This intermediate
CA can then sign certicates for hosts in the network and also for further intermediate CAs. These CA certicates (root CA and any
intermediate CAs), but not the corresponding private keys, are made publicly available on the network.
NOTE
: CA certicates may also be bundled together for ease of installation. Their .PEM les are concatenated in order from the
“lowest” ranking CA certicate to the Root CA certicate. handles installation of bundled certicate les.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certicate
Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to
download. generates a CSR using the crypto cert generate request command.
The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certicates from the Root and Intermediate CAs. By
installing these CA certicates, the hosts trust any certicates signed by these CAs.
NOTE
: You can download and install CA certicates in one step using the crypto ca-cert install command.
The intermediate CA signs the CSRs and makes the resulting certicates available for download through FTP root or otherwise.
Alternatively, the Intermediate CA can also generate private keys and certicates for the hosts. The CA then makes the private key or
certicate pairs available for each host to download. You can password-encrypt the private key for additional security and then decrypt it
with a password using the crypto cert install command.
The hosts on the network (SUT, syslog, OCSP…) download and install their corresponding signed certicates. These hosts can also verify
whether they have their own certicates using the private key that they have previously generated.
NOTE
: When you use the crypto cert install command to download and install certicates, automatically veries whether a
device has its own certicate.
Now that the X.509v3
certicates are installed on the SUT and Syslog server, these certicates can be used during TLS protocol
negotiations so that the devices can verify each other’s trustworthiness and exchange session keys to protect session data. The devices
verify each other’s certicates using the CA certicates they installed earlier. The SUT enables Syslog-over-TLS by conguring the
secure keyword in the logging conguration. For example, logging 10.11.178.1 secure 6514.
1110
X.509v3