SRX

Expand all | Collapse all

PKI

Jump to Best Answer
  • 1.  PKI

    Posted 06-04-2017 03:13

    why there is the option digest in the command : request security PKI generate-certificate-request <Digest> ??????

     

    my point is the CA is one who should make the digest and then sign it with its private key, why i specify the Hash algorithm and make the digest ?



  • 2.  RE: PKI
    Best Answer

     
    Posted 06-04-2017 23:48

    Hello,

     

    I hope following link is helpful.

     

    The CA that issues a certificate uses a hash algorithm to generate a digest, and then “signs” the certificate by encrypting the digest with its private key. The result is a digital signature. The CA then makes the digitally signed certificate available for download to the person who requested it. Figure 1 illustrates this process.

    The recipient of the certificate generates another digest by applying the same hash algorithm to the certificate file, then uses the CA's public key to decrypt the digital signature. By comparing the decrypted digest with the digest just generated, the recipient can confirm the integrity of the CA's signature and, by extension, the integrity of the accompanying certificate. Figure 1 illustrates this process.

     

    https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/certificate-digital-understanding.html

     

    Regards,

     

    Rushi



  • 3.  RE: PKI

    Posted 06-05-2017 02:15

    i was confused for a while because it was generating certificate request command , so if the hash algorithim option will be used for validation by using it to create a digest from the received certificate and use the CA public to decrypt the DS and compare both hashes it now makes sense