Domain 3 of 4 · Chapter 5 of 6

CA-Signed TLS Certificates

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • How a CA vouches for a key it never generated
  • The CSR: public key and identity, not the key
  • From key to installed cert: the issuance flow
  • The chain of trust: leaf, intermediate, root
  • Installing the cert: OpenSSL and IOS-XE
  • Keeping it valid: SAN match, expiry, renewal
  • Exam patterns: the failures that get tested

Choosing a certificate issuer

ConsiderationPublic CA (ACME)Public CA (manual)Enterprise / internal CASelf-signed
Client trust with no configYes, public rootsYes, public rootsOnly if root pre-installedNo
Domain validationACME challenge, automatedManual CSR + validationInternal policy / SCEPNone
Issue and renew effortFully automatedManual per certificateAutomatable (SCEP/EST)Manual, self-issued
Typical usePublic web / RESTCONFPublic, low volumeDevice management at scaleLab and testing only
CostFree (e.g. Let's Encrypt)Often paidInternal infrastructureFree

Decision tree

YesNoYesNoYesNoExternal clients musttrust it with no setup?Hands-off automatedissue and renew?You control theclient trust stores?Public CA via ACME(e.g. Let's Encrypt)Commercial public CA(manual CSR)Enterprise / internal CA(IOS-XE trustpoint)Self-signed(lab only)Every path: serve leaf + intermediates; SAN must match the hostname

Cheat sheet

  • The private key never leaves the server
  • What a CSR contains
  • SAN is required, not just CN
  • Generating a CSR with openssl
  • The issuance sequence
  • ACME validates domain control
  • The CA signs with the CA private key
  • A self-signed cert is not a CSR
  • Leaf, intermediate, root chain
  • Missing intermediate breaks verification
  • The root lives in the trust store
  • PEM full-chain ordering
  • Cert must match its private key
  • Validity window and renewal
  • IOS-XE trustpoint enrollment
  • SAN must match the connected hostname

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile Whitepaper
  2. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 Whitepaper
  3. RFC 2986: PKCS #10 Certification Request Syntax Specification Version 1.7 Whitepaper
  4. RFC 9525: Service Identity in the Internet Public Key Infrastructure Using X.509 (PKIX) Certificates Whitepaper
  5. Python ssl module: SSLContext.check_hostname (SAN-based hostname verification)
  6. RFC 8555: Automatic Certificate Management Environment (ACME) Whitepaper
  7. RFC 8737: ACME TLS Application-Layer Protocol Negotiation (ALPN) Challenge Extension Whitepaper
  8. RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures (PEM) Whitepaper
  9. Security and VPN Configuration Guide, Cisco IOS-XE 17.x: Configuring Certificate Enrollment for a PKI
  10. Configure CA-Signed Certificates with IOS-XE PKI