The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.
The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.
By default, no CA certificate fingerprint is configured for CA certificate authentication.
Parameter |
Description |
Value |
|---|---|---|
md5 |
Sets the digital fingerprint algorithm to MD5. |
- |
sha1 |
Sets the digital fingerprint algorithm to SHA1. |
- |
sha256 |
Sets the digital fingerprint algorithm to SHA256. |
- |
fingerprint |
Specifies the digital fingerprint value. This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number. |
The digital fingerprint value is a hexadecimal string of case-insensitive characters.
|
Usage Scenario
When obtaining a CA certificate, the device uses an algorithm to calculate the CA certificate fingerprint and compares the CA certificate fingerprint with the configured fingerprint. If the two values are the same, the device receives the CA certificate. When verifying a certificate, the device uses the public key of the CA certificate to authenticate the digital signature. If the digital signature can be decrypted, the certificate is verified.
Precautions
You can configure an algorithm to calculate the CA certificate fingerprint. If you run the fingerprint command multiple times in the same PKI realm view, only the latest configuration takes effect.
The MD5 and SHA1 algorithms have a low security level. SHA256 is recommended.