Configure CA Support on a Cisco Router
Step 6 – authenticate the CA

The router needs to authenticate the CA to verify that it is valid. The router does this by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA certificate is self-signed, meaning that the CA signs its own certificate, the public key of the CA should be manually authenticated. This is done by contacting the CA administrator to verify the fingerprint of the CA certificate. To get the public key of the CA, use the crypto pki authenticatename command in global configuration mode. Use the same name that was used when declaring the CA with the crypto pki trustpoint command.

If RA mode is used, using the enrollment mode ra command, when the crypto pki authenticate command is issued, the RA signing and encryption certificates are returned from the CA as well as the CA certificate.

The following example shows a CA authentication:

RouterA(config)# crypto pki authenticate VPNCA
Certificate has the following attributes:
Fingerprint: 93700C31 4853EC4A DED81400 43D3C82C
% Do you accept this certificate? [yes/no]: y