Authenticate using the certificate

I have a certificate that I would use to authenticate a network connection.

The certificate has been installed successfully on the Z10 with an attachment in e-mail.

I have to use QSslCertificate and a local file to add the certificate to the auth process? Where can I access the locally installed certs?

Yes, I use ignoreSslErrors and it works fine, but it's the kind of an overkill solution that creates security problems.

Basically, I wanted to know if I can access the device certificate store.
My colleague went to an expert on BBLive and got the information that it is not possible and we would have to create our own certificate management using setLocalCertificate.

Not an API very uncomfortable, even worse than java OS BB.

Tags: BlackBerry Developers

Similar Questions

  • How do I configure the iPad2 to synchronize the iPad-Mailclient with Exchange 2010 via Active Sync using the certificate SSL client and name of user and password?

    Active Sync iPad ssl Client certificate

    How do I configure the iPad2 to synchronize the iPad-Mailclient with Exchange 2010 via Active Sync using the certificate SSL client and name of user and password?

    Hi Ewoki,

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the TechNet Exchange forum. Please post your question in the Forums TechNet in Exchange Server.

  • WCF error - unable to authenticate using the ' DoLoginByPass()

    Hello

    I can't run a WCF service in our new 6.1.1.1 test environment.
    The WCF service is a custom web service, we have created to read the specific data of the object (e.g. plug) Prodika using Prodika framework.

    The service works very well in 6.1.0.1-, it was installed in production
    6.1.0.1 for a long time.


    Now, we are testing the WCF service even against 6.1.1.1 and seems not be working properly. I can read the WSDL for the server,

    but when I call the service (using SoapUi) I get the following error.
    I followed all the steps in the guide of Web services ' configure Application Programming Interface.

    Based on the below error you have ideas why we get this?

    Thank you

    ERROR:
    " < s: Envelope = xmlns:s ' http://schemas.xmlsoap.org/SOAP/envelope/ ">                                                               
    < Body >
    < s:Fault >
    < faultcode
    " xmlns: a = ' http://schemas.Microsoft.com/net/2005/12/windowscommunicationfoundation/dispatcher "> has: InternalServiceFault < / faultcode > .
    < faultstring XML: lang = "en - us" >not able to authenticate using the ' DoLoginByPass()' < / faultstring >
    < detail >
    " < ExceptionDetail xmlns =" http://schemas.DataContract.org/2004/07/system.ServiceModel "                                           
    ' xmlns:i = ' http://www.w3.org/2001/XMLSchema-instance ">                                                                           
    < i: Nile HelpLink = "true" / >
    < i: Nile InnerException = "true" / >
    < message > not able to authenticate by using "DoLoginByPass()" < / Message >
    < StackTrace > <! [CDATA [to WCFPlatformExtensions.ExecContextCallInitializer.BeforeInvoke (InstanceContext instanceContext,
    Channel of IClientChannel, message)
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InitializeCallContextCore (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InitializeCallContext (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5 (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4 (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3 (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2 (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1 (MessageRpc & CPP)
    at System.ServiceModel.Dispatcher.MessageRpc.Process (Boolean isOperationContextSet)]] > < / StackTrace >
    < Type > System.ServiceModel.Security.SecurityAccessDeniedException < / Type >
    < / ExceptionDetail >
    < / details >
    < / s:Fault >
    < / Body >
    < / s: Envelope >

    Configuration of the FILE EnvironmentVariables.config:

    #Integration services

    Prodika.ProdikaAPI.SysUser = [ProdikaApiUser]

    IgnoreMe = Prodika.ProdikaAPI.SysPassword

    Prodika.ProdikaAPI.IsLoginBypassOn = true

    Prodika.ProdikaAPI.IsUseTrustedAuth = true

    6.1.1.1 and the last Packs of extensibility (3.0 and higher), the Prodika.ProdikaAPI.SysUser must be out of the environmentvariables.config file. It must now be configured using the SetupAssistant tool.

  • Use the certificate self-signed on TS 2008R2

    Hello reader,.

    We use Firefox on a Terminal server with about 20 servers server farm environment.
    We use a lot of intranet sites for which we have the certificate self-signed by our domain controller.

    In Firefox users get prompt security sec_error_unknown_issuer. As much as I red that Firefox does not check for local free self-signed certificates.
    Is there a way we could set up for all users, they do not see the above error-> specific <-websites (intranet)?

    We do not want the users to add the Security (certificate) as exception 20 times for EACH intranet website on 20 servers dispute.
    It is something that I can edit in mozilla.cfg on each server or is there another solution?

    Thanks in advance,
    Kind regards
    Martijn

    I solved the problem with manual below:

    http://community.Spiceworks.com/how_to/15158-Firefox-trust-a-local-certificate-authority-for-all-users-and-computers

  • VPN client using the certificate self-signed on SAA

    Hello

    I need set up a vpn client that use a certificate automatically generated by the ASA.

    The VPN configuration is easy, especially with the use of the wizard.

    The problem is that I need the procedure to configure the ASA as a CA server and how to send the certificate to the client

    Thank you

    Just to let you know, the ASA can act as a CA server for authentication of cert based for ipsec vpn. It is only possible for sslvpn. So in your case, the client should be the AnyConnect client.

  • Use the certificate and password security on PDFs Acrobat XI

    I would use the security certificate and password on pdf Acrobat XI documents.

    Security for the PDF certificate can be emailed or used outside of our network.

    Security Word from past so within our network, users cannot modify the PDF

    I was able to create an action where I applied the security password, save and then apply the security of the certificate and save, but he keeps only the last applied security - certificate security.

    any help would be appreciated

    With security certificate, you can also change to the document rescrict.

  • How to authenticate using the credential key external services?

    Hello

    I developed a bpel webservice that uses external Web services that is protected by user name and password.

    So in my composite.xml, I put the 2 lines within the reference tag to this service.

    < name = "oracle.webservices.auth.username property" many = "false" type = "xs: String" > ssa.gen < / property > "

    < name = "oracle.webservices.auth.password property" many = "false" type = "xs: String" > * < / property > "

    But as password continues to change, I need some other way to authenticate this webservice without giving the password.

    We use csf - key here? as below:

    < property name = "csf - key" type = "xs: String" much = "false" > ssa.gen < / property >

    How to register a new name of user and password for this key? I need the proper code syntax to be all in composite.xml and also how to map a user to a key?

    Kindly help.

    You can configure the keys to the csf as follows.

    Console EM-> select the SOA domain (under the WebLogic domain name), click right-> select Security-> credentials.

    Create map-> name: oracle.wsm.security (if it does already exist).

    Select the map-> create a key.

    Specify the key name that you want to use (for example, "usernamekey" for example), choose the Type of password and enter the password and save.

    Now you can use this key in the key property of csf for the obligatory corresponding reference in composite.xml - usernamekey.

  • Getting error while using the certificate chain

    Hello

    I use a SSL security certificate chain and when sending message I get the error message. This error happens when B2B tries to retrieve the portfolio's private key to sign the message. He said "alias found certificate", but he then gives error message creating. Please find below the log for the specific portion

    2008.11.24 to 09:19:24:150: Thread-13: B2B - (DEBUGGING) oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin:getPrivateKeyFromWallet entry
    2008.11.24 to 09:19:24:154: Thread-13: B2B - alias of certificate oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin:getPrivateKeyFromWallet (DEBUG) found: [email protected], CN = RECIPIENT B2BONRAMP, OU = Digital ID class 1 - full Microsoft Service, OR = invalid Persona, OU = www.verisign.com/repository/RPA Incorp. by order No.------, LIAB. LTD (c) 98, OU = VeriSign Trust Network, O is VeriSign\, Inc.
    2008.11.24 to 09:19:24:159: Thread-13: B2B - (DEBUGGING) oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin:createMessage an exception during construction create message
    2008.11.24 to 09:19:24:161: Thread-13: B2B - (DEBUG) oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin:createMessage exception msg: null
    2008.11.24 to 09:19:24:163: Thread-13: B2B - oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin:createMessage (DEBUG) exception stack trace: java.lang.NullPointerException
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.getPrivateKeyFromWallet(EBMSExchangePlugin.java:5967)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.getPrivateKeyForSigning(EBMSExchangePlugin.java:5322)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.signAttachment(EBMSExchangePlugin.java:5160)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.createMessage(EBMSExchangePlugin.java:2130)
    at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1641)
    at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:968)
    at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1147)
    at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:137)
    at oracle.tip.transport.basic.jms.JMSMonitor.processMessages(JMSMonitor.java:610)
    at oracle.tip.transport.basic.jms.JMSMonitor.run(JMSMonitor.java:236)

    2008.11.24 to 09:19:24:168: Thread-13: B2B - java.lang.Exception (ERROR): java.lang.NullPointerException
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.createMessage(EBMSExchangePlugin.java:2289)
    at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1641)
    at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:968)
    at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1147)
    at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:137)
    at oracle.tip.transport.basic.jms.JMSMonitor.processMessages(JMSMonitor.java:610)
    at oracle.tip.transport.basic.jms.JMSMonitor.run(JMSMonitor.java:236)
    Caused by: java.lang.NullPointerException
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.getPrivateKeyFromWallet(EBMSExchangePlugin.java:5967)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.getPrivateKeyForSigning(EBMSExchangePlugin.java:5322)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.signAttachment(EBMSExchangePlugin.java:5160)
    at oracle.tip.adapter.b2b.exchange.ebms.EBMSExchangePlugin.createMessage(EBMSExchangePlugin.java:2130)
    ... 6 more


    Does anyone have an idea what could be the reason for this error?

    Help, please.

    Thank you and best regards,
    Anuj Dwivedi

    Hello

    You may have the whole chain.

    A note aside on the issue of departure indicated - if you do the same conversion for some reason things don't work well. The work is as follows,

    1. tell certifcate user export to a file, utilisateur.cer
    2. remove the baptistery of the user of the ewallet.p12
    3. import the user certificate in the file that you created in step 1.

    It should work smoothly. HTH.

    Kind regards
    Sinkar
    [Correction to Ramesh Team]

  • I do a windows XP repair install, but its not taking the certificate of number of Authenticity on the cover of the cd why

    I do a windows XP repair install on my Dell on safe mode, but when I use the certificate of authenticity of 25 characters on the cd envelope it tells me that these are numbers are not valid!   Help

    How to activate Windows XP
    http://support.Microsoft.com/kb/307890/en-us

    If the activation of the Internet does not work, then see the section titled: "how to activate Windows XP by phone.
    Also, make sure that you do not confuse the product key numbers and letters
    (number 8 for the letter B, etc.)

    ===================================================================

    Blank page to activate Windows in the wizard of Windows Product Activation
    http://support.Microsoft.com/kb/314935

    How to contact a Microsoft Product Activation Center:
    http://support.Microsoft.com/default.aspx/KB/950929/en=us

    Microsoft Activation centers worldwide telephone numbers:
    http://www.Microsoft.com/licensing/existing-customers/activation-centers.aspx
    (This site is for activating Volume License, but if you call, they will help you)

    The phone number is not working:
    Microsoft Wordwide contacts: http://www.microsoft.com/worldwide/default.aspx

    Once Windows activated / Genuine Advantage Notifications:
    http://www.Microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=afd45b36-3d77-4259-801c-d31a9a90cdcf
    (This tool will confirm that the copy of Windows installed on your PC is genuine and authorized)

    J W Stuart: http://www.pagestart.com

  • "Update info" link does not work in Windows 8 by using the Microsoft account

    I have Windows 8 Pro. I had signed with my Microsoft account.

    Recently, I ran into problems of synchronization and so had to sign out and sign in my account from Microsoft on my PC in Windows 8.
    I have 2 steps check activate my Microsoft account and authenticate using the authenticator application for Windows Phone 8.
    I signed on the Microsoft account on my PC after switching to a local account and on the Microsoft account. I used normal password (not the app since it does not accept it). Successfully signed in, she says that the parameters can not be synchronized until I've "update info" in my Microsoft account. I know it asks me the passcode generated by the application, but the link is dead. Here is the screenshot of the link.
    How can I make it work?
    Reset my PC isn't an option. I can't afford to lose everything I have in there. In addition, a system at this stage image backup is useless for obvious reasons.

    Hi Ram,

    As the link update security information is dead, you can connect to the Microsoft account directly and update security information.
    Here is the link: https://account.live.com/summarypage.aspx

    Why should I verify my email address?
    http://Windows.Microsoft.com/en-us/Windows-Live/account-verify-ID-email-address
    Security information for the Microsoft account: FAQ
    http://Windows.Microsoft.com/en-in/Windows-Live/account-security-password-information

    Let us know if that helps.  If the problem persists, please answer, we will be happy to help you.

  • Error when trying to renew the certificate created by Adobe Reader

    A digital signature (certificate of basic Windows) was of has now expired. It has been used successfully for several years.

    The user can no longer use this signature to sign Digital Signature on Documents Adobe PDF fields.

    It is the first time that we are trying to renew this certificate. Before, we used to create a new certificate.

    When trying to renew the certificate using the Certificate MMC snap-in (Certificate Manager), we get the following error:

    "request contains no certificate template information.

    WindowsCertificateManagerSnapIn.jpg

    ErrorWhenRenewWindowsCertificate.jpg

    ErrorWhenRenewWindowsCertificate3.jpg

    Any help to activate the use of the Digital Signature certificate renewal will be greatly appreciated?

    Tarek

    Hi Tarek,

    There are a number of things at play here. First to the top, we will place terminology. What you ask the subject isn't a digital signature, but rather a digital ID. Think of this as similar to the world where the digital ID is equivalent to a pen and paper is used to create the digital signature, just like the feather is used to create the wet ink signature.

    What you need to do is called a key roll on, where you give up the public key to prolong his life. The big question is how can you resign from the public key, and the answer is that you need the original certificate signature request (CSR in geek speak). Of course you don't have the CSR because you don't get one when you use Acrobat/Reader to generate a self-signed digital ID. Probably, this raises the question, what is a self-signed digital ID? A start of the process of generation and build a digital ID initially generate you the key private and public key. However, there is a bit of textual information that is also packed with the public key, such as your name, address (postal or e-mail). The public key and text information is packaged in the CSR, so you have the private key and CSR sitting there separately. The next step is to send the CSR to the issuer and to sign with his private key. At this point the issuer name, validity period, serial number and other information are package upward in the public key certificate file, which, incidentally, also contains the signature itself. Now you've got a signed with the corresponding private key, public key certificate sitting on your computer. If you take the two pieces and combine in a single file, you end up with a digital ID.

    The thing is, when Acrobat/Reader generates a digital ID, it uses the private key to sign the CSR, so the digital ID that has ensued is known as "Self-signed" in the part of the public key of the file certificate has been signed by its own private key rather than be signed by a CA issuing. CSR is removed during this operation and you done with just a digital ID in self with a life expectancy of 5 years. The whole process is made as simple as possible for the end user, this is why there is no CSR that flying over so that they treat.

    All that being said, your only option is to use Acrobat or Reader to create a new self-signed digital ID and start using that replaces the expired. You try to use Microsoft CAPI (Cryptographic Application Program Interface) to send the CSR to a CA to have them sign the CSR and return a signed public key certificate file, but I'm sure you guessed now, you do not the CSR to be sent, so MS-CAPI returns the error message you posted in red font. He can't really say that, but that's what it means.

    I hope this helps.

    Steve

  • How can I get a name to fill in the certificate Widget?

    Hello

    I am using Captivate 5.5.  I am trying to use the certificate Widget which I shot in my project.  How can I get a user name in the first line?  I'll use a text input field to ask the name and is the name that I want to print on the certificate.

    Also, I'm passing the assessment with a score of 100%, but on the certificate, it says 0% and in case of failure.

    Any help would be greatly appreciated.

    Thank you

    Hello

    To use this widget, do the following:

    • Insert a minimum of drag a question.
    • Insert a blank slide after the landslide results.
    • Insert the CertificateWidget.swf file from the Widget Panel in the slide inserted.
    • Choose a model and fill in information, for example, the name of the course, duration of the course and the signature.

    When users take the quiz, a slide with a text for the username input box appears after the landslide result. Users type their name in the box and click on submit to display the certificate. The certificate is then filled with the user name and other settings that you chose during the insertion of the widget.

  • FlexVPN without the use of certificates

    Hi all

    Is there a way that we can use the Anyconnect VPN with FlexVPN clinets without authentication of certificate based (as in the old Cisco VPN clients using Group key)?

    Is it possible to use the Cisco router mmee like that wihtout external involvement Windows server in the entire installation (with the installer FlexVPN + Anyconnect)?

    Thanks in advance!

    Shamal,

    Take a look at the doc I wrote previously:

    https://supportforums.Cisco.com/docs/doc-23967

    (a relevant document will be published on EAC at next could of weeks)

    The RFC for IKEv2 mentions that if you use EAP, you MUST use certificate authentication.

    Yes router IOS can act as a network IOS CA and FlexVPN head, even if you show a problem with the single point of failure.

    Note that you'll need to authenticate and register the trustpoint on your head of bed of this as if it were external devices.

    M.

  • Authenticate or import the certificate to another vendoor

    Hello

    I have to configure the security scenario after:

    On CISCO:

    -Add server (CA1) of CA certificate which host peer certificates

    -Add the CISCO recovered Certificate Server CA (A2)

    So I used according to:

    Crypto pki trustpoint CA_ROOT

    Terminal registration

    use of ssl-server

    revocation checking no

    and done manually authentication of the certificate of the CA server (A1).

    This is what it looks like:

    AS67129 (config) #crypto pki authenticate CA_ROOT

    Enter the base-64 encoded certificate authority.

    Ends with a blank line or the word "quit" on a line by itself

    -BEGIN CERTIFICATE-

    MIIB5zCCAZGgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBKMREwDwYDVQQKEwhFcmlj

    c3NvbjEPMA0GA1UECxMGQUwvRVRFMSQwIgYDVQQDExtURVNUIENBIGZvciBDUFAg

    U0NFUCBzZXJ2ZXIwHhcNMDkxMDIyMDgzNzQxWhcNMTkxMDIwMDgzNzQxWjBYMQsw

    CQYDVQQGEwJTRTEUMBIGA1UEChMLRXJpY3Nzb24gQUIxDzANBgNVBAsTBkFML0VU

    RTEiMCAGA1UEAxMZU3ViQ0EgZm9yIENQUCBTQ0VQIFNlcnZlcjCBnzANBgkqhkiG

    9w0BAQEFAAOBjQAwgYkCgYEA3bR1yEyvrYDafqGSxZTUNcHW8OozdNO4ZKoMFZww

    4twVoC3mBvQxOYvEcC8YFgtxZVVynLzL1j/rEVyCIuGaTj5X7fNc9N7qDZMq1XQ /.

    HY8t + aBesvwrzjPKjt7rQ2P90B4w4uEjImGTyhmlGRlFx6XKz1ISMvGK + GLDtFlU

    XqMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJxunpng

    k6diona1Bn65ToH5nu67D4N/PlABuFy86PhN9UyY + bHockyspoGDmgHle1zX1b2i

    nSGRkopq2MDqM3s =

    -CERTIFICATE OF END-

    quit smoking

    Trustpoint "CA_ROOT" is a subordinate certification authority and holds a nonfree signed cert

    Certificate has the following attributes:

    Fingerprint MD5: CF5E3F6A 6BD0F348 3612B 785 1259241C

    Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A

    % Do you accept this certificate? [Yes/No]: Yes

    Certificate of the CA Trustpoint accepted.

    % Certificate imported successfully

    There are now executing command:

    Crypto PKI import CA_ROOT

    What is the difference between authentication and import?

    Result of this import command is that the certificate is not signed by the private key of CISCO.

    Currently there is no private key to CISCO.

    Any certificate is generated by the Protocol Server CEP, which will provide the certificate to the peer in host

    Configuration of the IpSec tunnel.

    Thank you

    Renato

    Hi Renato.

    The command crypto pki authenticate CA_ROOT is to authenticate the certificate authority (CA) (by obtaining the certificate of the certification authority)

    This command is required when initially configuring CA support to your router.

    This command authenticates the CA of your router with the CA certificate that contains the public key of the CA. Because CA signs its own certificate, you must manually authenticate the public key of the CA by contacting the CA administrator, when you enter this command.

    In the following example, the router asking for the certificate of the CA.  The CA sends its certificate and the router asks the administrator to check the certificate of authority of fingerprint verification of CA. The CA administrator can also view of the certificate of the CA, so you should compare what the CA administrator ensures that the router displays on the screen. If the fingerprint on the screen of the router matches the fingerprint, read by the CA administrator, you must accept the certificate as being valid.

    Router(config)# crypto pki authenticate myca 


    


    Certificate has the following attributes: 
    Fingerprint: 0123 4567 89AB CDEF 0123 
    Do you accept this certificate? [yes/no] y#

    import of crypto pki certificate of name is to import the certificate of identity on the router.

    Here is the link you can follow

    http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c5.html#wp1044348

    HTH

    Concerning

    Regnier

    Please note all useful posts

  • Authentication IPsec VPN Client using the digital certificate

    Hello

    Please I need some clarification and help to set up my ASA 5540 with IOS 8.3 x for client certificate authentication remote.

    I have my certificate root from the Microsoft CA, but not quite sure if the steps described in the following cisco Web sites are exactly what I need since the firewall seems to generate the certificate to use.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008073b12b.shtml

    My setup is such that the CA will issue certificates to remote clients and the ASA firewall, and remote clients will authenticate and connect with their certificates which the firewall is constantly updating using the Revocation list updated by the certification authority.

    The dhcp pool must be issued by the DC inside network and not on the firewall.

    Are there any examples or best practices to achieve steps will be really appreciated.

    Thank you

    Hi Josh,.

    Let me explain briefly how Auth PKI:

    In a public key infrastructure configuration, devices trust not each other directly, but they have a certification authority, which is the one who issues the certificate. We call this root CA (there may be a more complex configuration WHERE intermediate are involved, but that's another story). So when the root CA issues a certificate, he signs it with its private key. To be able to verify this signature, we should have the CA public key, which is included with the certification authority.

    So for certificate authentication, you must create a trustpoint, that defines the parameters of the root certification authority.

    Then you will authenticate this trustpoint, which basically means that you will get the certificate of the root CA and store locally.

    After that, you sign up to this CA, which means that you will ask for (and get) your own certificate.

    Other users will do the same and have the same root CA Cert, but different personal (identity) certificates.

    So what happens on authentication is that both ends send their certificate to the other, and they will use the public key contained in the root CA to validate the signature of the certificate received from the remote peer. If the signature is correct, this means that the certificate authority root actually issued the certificate, and this remote peer can be trusted (or not)

    Hope this is clear.

Maybe you are looking for