CA-Signed TLS Certificates
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.
14-day money-back guarantee — no questions asked.
Included in this chapter:
- How a CA vouches for a key it never generated
- The CSR: public key and identity, not the key
- From key to installed cert: the issuance flow
- The chain of trust: leaf, intermediate, root
- Installing the cert: OpenSSL and IOS-XE
- Keeping it valid: SAN match, expiry, renewal
- Exam patterns: the failures that get tested
Choosing a certificate issuer
| Consideration | Public CA (ACME) | Public CA (manual) | Enterprise / internal CA | Self-signed |
|---|---|---|---|---|
| Client trust with no config | Yes, public roots | Yes, public roots | Only if root pre-installed | No |
| Domain validation | ACME challenge, automated | Manual CSR + validation | Internal policy / SCEP | None |
| Issue and renew effort | Fully automated | Manual per certificate | Automatable (SCEP/EST) | Manual, self-issued |
| Typical use | Public web / RESTCONF | Public, low volume | Device management at scale | Lab and testing only |
| Cost | Free (e.g. Let's Encrypt) | Often paid | Internal infrastructure | Free |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile Whitepaper
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 Whitepaper
- RFC 2986: PKCS #10 Certification Request Syntax Specification Version 1.7 Whitepaper
- RFC 9525: Service Identity in the Internet Public Key Infrastructure Using X.509 (PKIX) Certificates Whitepaper
- Python ssl module: SSLContext.check_hostname (SAN-based hostname verification)
- RFC 8555: Automatic Certificate Management Environment (ACME) Whitepaper
- RFC 8737: ACME TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension Whitepaper
- RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures (PEM) Whitepaper
- Security and VPN Configuration Guide, Cisco IOS-XE 17.x: Configuring Certificate Enrollment for a PKI
- Configure CA-Signed Certificates with IOS-XE PKI