Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PKI - SSL/TLS X.509 Certification Enrolment and Authentication

Hi Guys,

Can anyone confirm how TLS/SSL X.509 and PKI works. I have drafter the following from varios documents I have read and want to conffirm if this is in fact correct or is way off the mark?

Wifi PC <---------------------------> Cisco ACS



1. Both devices are assigned digital certificates from the same CA.

2. When a hosts wants a digital certificate, the host creates a pair of public/private keys

3. Then the host then sends a Public Key Cryptography Standards #10 (CSR: Certificate Signing Request) to the CA with only its public key and other X.509 information

4. If successful, the CA will send the host a digitally signed certificate back which has been signed using the CAs private key.(note: is this just: the CA has looked at the host information contained in the X.509 cert, like directory name, OUI etc etc and the public key, then takes a hash from this information and then encrypts it with the CAs private key?)

5. The CA also sends the host is own digital certificate which becomes the root certificate for the newly generated client certificate?

Enrolment is completed?

Both hosts complete this phase.



1. Wifi PC sends certificate to Cisco ACS

2. Cisco ACS decrypts "independently of anything else" the wifi PCs certificate which include the wifi PCs Public key, digital signature and other X.509 parameters and produces HASHVALUE1

3. Cisco ACS then looks at the "Signature portion ONLY" of the wifi PCs certificate and sees that a specific CA has digitally signed this certificate "with the CAs private key" and then the ACS uses it's root CA's certificate it has in its store and decrypts the private key received from the wifi PCs digital cert (in the signature portion only) with the "CAs public key". This produces HASHVALUE2.

4. If the independent HASHVALUE1 which was based on the received wifi PCs certificate as a whole (ie, X.509, public key, signature etc etc) and HASHVALUE2 which was just calculated on the wifi PCs digital signature (which was encrypted with the CAs private key) and decrypted with the CAs public key the ACS has, MATCH, authentication is granted.

Authentication is completed.

One last question. What ever happened to the Hosts private key it generated when it created the public/private key for the Public Key Cryptography Standards #10 (CSR: Certificate Signing Request) ????

I hope this all makes sense and if you can help me with this, it would be great.

Many thx and kind regards,