The router needs to authenticate the CA to verify that it is valid.
The router does this by obtaining the self-signed certificate of the CA that
contains the public key of the CA. Because the CA certificate is self-signed,
meaning that the CA signs its own certificate, the public key of the CA should
be manually authenticated. This is done by contacting the CA administrator to
verify the fingerprint of the CA certificate. To get the public key of the CA,
use the crypto pki authenticatename command in
global configuration mode. Use the same name that was used when declaring the
CA with the crypto pki trustpoint command.
If RA mode
is used, using the enrollment mode ra command, when the
crypto pki authenticate command is issued, the RA signing
and encryption certificates are returned from the CA as well as the CA
certificate.
The following example shows a CA authentication:
RouterA(config)# crypto pki authenticate
VPNCA
Certificate has the following
attributes:
Fingerprint: 93700C31 4853EC4A
DED81400 43D3C82C
% Do you accept this
certificate? [yes/no]: y