PKI Enrollment

PKI enrollment is the process of adding a PKI user (such as a person, a device, or an application) to the PKI. The enrollment is done in the following way:

Step 1.

An enrolling user obtains the CA certificate (self-signed) in which the public key of the CA is embedded. This public key will be used to verify the digital signature on certificates of the other entities.

Step 2.

The enrolling user sends its identity information and public key to the CA.

Step 3.

The CA verifies (authenticates) the user, signs the submitted information, and returns the signed data in the form of a certificate.

Step 4.

The user verifies the returned certificate using the public key of the CA from the previously obtained CA certificate.

The enrollment procedure is the initial step of establishing trust between a user and the CA. If the process is executed over an untrusted network, it would be vulnerable to man-in-the-middle attacks. Therefore, it has to be secured in such cases.

Man-in-the-Middle PKI Enrollment Attack

Without any additional protection for the enrollment process, a man-in-the-middle attack can be used to spoof identities. The attacker could replace the submitted public key of the user with the public key of the attacker, causing the CA to possibly issue a certificate to the attacker instead of to the legitimate user. The attacker could replace the real CA certificate with the false CA certificate of the attacker when the end user requests the certificate of the CA. The end user would then trust the CA of the attacker instead of the real CA.


The attacker would replace only the public key of the user, not the identity (name) of the user. When the CA issues the certificate, the attacker can pretend to be the user by presenting the certificate with the name of the user but the public key of the attacker.


Secure PKI Enrollment

To mitigate the risk of interception and key substitution during enrollment, the enrollment procedure needs to incorporate two out-of-band authentication procedures:

  • Verification by the enrolling PKI user that the correct CA certificate has been received
  • Verification by the CA that it has received the correct enrollment information from the enrolling PKI user

This can be done by out-of-band exchange of fingerprints of the messages (certificates). If the out-of-band received fingerprint matches the fingerprint of the received message, the message is authentic. However, if the enrollment is completed over a secure network, where interception is not possible, those security procedures might be relaxed or omitted completely.

To verify that the correct CA certificate has been received, a local hash (fingerprint) of the received information is calculated, as shown in Figure 25-6. This fingerprint is compared to the true CA certificate fingerprint, obtained over the telephone or another secure channel. If they match, the true CA certificate has been received.

Figure 25-6. Manually Securing PKI Enrollment

When the user submits identity and public key information, a local hash (fingerprint) of the submitted information is calculated again. The CA also performs a hashing procedure of the received information. The CA then compares its hash of the received information to the hash of the user of the submitted information over the telephone or any other secure channel. If the two hashes match, the CA has received an unmodified enrollment request.

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions


Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329 © 2008-2020.
If you may any questions please contact us: