What is difference between CA certificate and identity certificate ?

Hi When I try to configure ASA through ASDM. I notice there are two certificate in the ASDM --  CA certificate and identity certificate. Anyone can explain the difference between CA certificate and identity  certificate ? Thank you
eemoonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pgolding00Commented:
ca cert is a cert signed and issued by a signing authority. that could be your own authority, mine, or any of the public authorities, eg digicert, cybertrust, geotrust, thawte, rsa etc - there are thousands of them now.

self signed is a cert not signed by a public authority. in this case its signed by the asa, which is not a public certificate authority. therefore i dont know if i should trust a cert signed by your asa, while i might be happy to trust a cert signed by a public authority.

an asa self signed cert used by a corporation for anyconnect vpn, as an example, when the users of that vpn are the staff of the corporation, should not be a real issue. but using a self signed cert on a public web site, say some e-commerce site, would likely turn  away those that understand, because there is no evidence that the site has any degree of trustworthiness associated with it.

on the other hand, https://www.cisco.com/ presents a cert signed by verizon. verizon are expected to verify the credentials of cisco prior to issuing that cert to them. i trust that verizon did so, therefore i trust that the cisco site is legitimate, so i would trade through their website.

on the asa, you can examine the details of the ca cert to see who it is signed by, when it expires etc. via the cli, "show crypto ca cert" will show the details.
0
eemoonAuthor Commented:
Thank you so much for your fast reply, which is very helpful. There are two kind of certificate(Please see screenshot in attachment). One is identity and another is CA certificate. What is its relation between Identity certificate and CA certificate ? Can we think the identity certificate is self-signed certificate or other ?
Capture.PNG
0
pgolding00Commented:
ah, ok. this is slightly different. with a self signed cert, its signed by the device thats using it and no other device or authority is involved.

a cert signed by an authority is however different. given that we need some starting point, the browser makers (mozilla et al, microsoft, apple etc) build in to their product some signing authority root certs. its generally accepted that we trust these root certs because they are often public companies, well known brands etc that bring some degree of reputation with their names.

the whole cert business is about developing trust. one can never be sure if my-domain.com is a trustworthy site or trustworthy business, or not. but if my-domain buys a cert signed by some ca, then that ca is supposed to verify that the domain part of the name in the cert actually belongs to the purchaser, plus some other checks. they do these checks successfully, then sign the cert. so by inference we trust things that are signed by the ca, and they sign the my-domain cert using the ca's root, or an intermediate, as proof that it comes from the ca (otherwise it could be forged).

in a nutshell, i dont know/trust eemoon, but i do know rapidssl. eemoon buys a cert signed by rapidssl and puts it on his web site. i browse to eemoon.com and find the cert signed by rapidssl, so i trust eemoon's site because i trust that rapid verified enough to their satisfaction to sign the eemoon cert. in this case rapid signed your cert with their root cert and that root cert is built in to my safari browser, so i implicitly trust it.

then there are intermediate certs. all certs have an expiry timestamp (date and time). beyond that time the cert is not necessarily to be trusted. if the ca's root cert expires, are all the certs they signed with it still trustworthy? if someone cracks the private key of that root cert, are the certs signed by it still trustworthy? someone untrustworthy now has the private and public keys, so they can go sign anything they want! theres no way to tell which were signed by the real ca and which by our cracker. now the ca has to revoke their root signing authority (this is what crl's are about). so now, all those browsers find they cant trust ANY cert signed by that root cert, and the ca looks very silly.

soooo, the ca will normally only sign a very small number of (subordinate or intermediate) certs with the root. they then take the root cert machine off-line and lock it up. then they use these intermediates to sign the customer certs. look in your browser - digicert and entrust are good examples as they have a bunch of intermediates. most of the bigger ones actually have a chain of intermediates and they use the last one to sign the cust certs. that way if something goes wrong, they dont have to revoke so many cust certs.

if you browse to https://www.cisco.com and then click on the cert info, you will see cert with subject cisco.com and signed by (aka "issuer" in the cert detail) "Verizon Akamai SureServer CA G14-SHA1". select details and you find a chain of root, intermediate and then cisco. the cisco cert has a field called "ca key identifier". if you look at the "Verizon Akamai SureServer CA G14-SHA1" cert it has a field called "cert subject key id". the ca identifier of cisco matches the subject key id of verizon intermediate. the ca key id of the verizon cert matches the subject id of the baltimore cybertrust root, and my browser has that baltimore root built in. therefore i trust cisco because i trust baltimore and the signing chain is intact.

meanwhile back at the asa, sometimes sites use a new ca which is not built in to my ie 3.0 browser (because ie 3.0 is so old). or more commonly, intermediate signing authority certs have a relatively short lifetime (in that cisco case, the cisco cert is good for one year from may 2014 to may 2015, the intermediate is good from 2014 to 2021, while the root has a lifetime of 2000-2025). my new firefox 57.0 will be released after cisco's cert and the intermediate expire. baltimore sign a new intermediate and cisco buy a new cert signed by the new intermediate. the intermediate is still signed by the baltimore root, good until 2025. but my browser may not have the intermediate built in now, because the intermediate is newer than when the browser was made. so the web site can actually send the subject cert, plus a new intermediate or even a chain of them. just as long as i can eventually work back through the chain to one that i trust, everyones happy!

so in asdm you see ca and identity. your end subject cert goes in the identity because it identifies your site. if you wanted or needed to, you can add the intermediates and root signing certs in under the ca area. from memory, when these are added in the asa understands the chaining, because you need to add them all in from one chain file. when its done right, the browser will then receive the subject and the chain and its happy. if not, it pops up the security warning message, if it does not recognise any cert in the chain.

sorry its a bit long, but we got there eventually. the process to create that chain can be easy as some ca's issue certs in chain format. others have the option and some just dont. for those that dont, if you need the chain you can build it yourself using tools like openssl, but that story is significantly longer!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pgolding00Commented:
and a mistake in my first comment. verizon did not issue the cisco cert, baltimore did, so baltimore would/should do the verification.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.