There are two instances when the PKI administrator checks certificate
fingerprints (the
SHA1, MD5, SHA256, and SHA512 hashes) in support of certificate request
processing for SCEP clients.
- Preregistered SCEP clients who request certificates from this
CA domain must download the correct PKI Services CA certificate to
their workstations before they issue their certificate requests. After
the download, the client can use the SCEP client software to display
the fingerprints of the downloaded CA certificate and then confirm
with the PKI administrator of the CA domain that it is the correct
CA certificate.
To match CA certificate fingerprints with a SCEP
client, the PKI administrator can display the fingerprints of the
CA certificate for this domain by issuing the following MODIFY (or
F)
console command:
F PKISERVD,DISPLAY
The result
of this command is information message
IKYP025I.
Sample
output:10.37.39 STC00146: IKYP025I PKI SERVICES SETTINGS:
CA DOMAIN NAME: Customers
SUBCOMPONENT MESSAGE LEVEL
LDAP ERROR MESSAGES AND HIGHER
SAF WARNING MESSAGES AND HIGHER
DB INFORMATIONAL MESSAGES AND HIGHER
CORE WARNING MESSAGES AND HIGHER
PKID VERBOSE DIAGNOSTIC MESSAGES AND HIGHER
POLICY WARNING MESSAGES AND HIGHER
TPOLICY WARNING MESSAGES AND HIGHER
MESSAGE LOGGING SETTING: STDOUT_LOGGING
CONFIGURATION FILE IN USE:
/etc/pkiserv/pkiserv.conf
TEMPLATE FILE IN USE:
/etc/pkiserv/pkiserv.tmpl
CA CERTIFICATE FINGERPRINTS:
SHA1: BB:B5:AF:38:BA:3B:33:61:46:F5:FE:AD:20:33:10:98:C2:D7:9A:BC
MD5: C6:E6:B2:F3:39:F0:7C:B5:A6:B6:F0:36:5F:2F:7D:C8
SHA256: FC:F6:DE:AF:CF:48:15:90:0E:91:9B:8F:5C:93:9B:FF:
1D:2D:FC:B1:10:33:2C:CB:B5:02:F4:8E:5E:41:FA:F8
SHA512: 14:DD:45:4C:78:66:47:0D:7B:BB:BE:56:33:F0:18:52:
F4:AD:0C:96:B9:78:5B:40:FF:AE:D5:EB:62:87:A6:22:
48:45:37:D6:4B:3A:DD:5C:F0:7D:6F:A5:D8:6F:6E:36:
E5:8C:77:D2:B5:BC:3E:14:E2:34:F8:A1:11:31:2B:E3
- When the PKI administrator receives a certificate request from
a preregistered SCEP client, the PKI administrator can confirm the
integrity of the certificate request by viewing its fingerprints on
the "Single Request" Web page. (See Figure 1 for a sample.)
To ensure
the integrity of the certificate request, the PKI administrator can
contact the SCEP requestor to match the fingerprints in the received
certificate request with the fingerprints in the original certificate
request. (The certificate requestor can use the SCEP client software
to view the fingerprints saved for the original request.)