PKI or Digitally signed certificate

Question

Please do mind, its a long read. I just confused myself again with how the CA server helps with the digital signature and the pki working flow. Please let me know if what I am describing below is the right.

Before that, let me have a topology. 'A', 'B' are the 2 devices using PKI to authenticate each other for VPN and then we have 'CA' Will refer to A and B as devices and CA as CA.

Step1: Generating CA certificate

'request security pki ca-certificate enroll ca-profile Root-CA'

The above command requests the CA server to send the CA certificate to A and B and they load the certificate.

Question1: Does that command help the devices send a message to the CA and then does the CA respond to it by sending the digitally signed certificate and the device load it?

If not, how do the devices get the CA cert?

Step2: CA certificate

Regarding the CA cert, am I right to say that, the digitally signed CA cert is generated as below:

1)CA generates its key-pair

2)'Public key' along with 'Subject' makes up for the content which is hashed to get the 'fingerprint'.

3)The fingerprint is then encrypted using its own private key to form a digital signature which is attached to the certificate to form a digitally signed CA certificate.

4)This is then sent to the devices and then the devices decrypt the Signature using the public key of the CA to unravel the fingerprint.

5)Then, the devices hash the certificate received from the CA to get a fingerprint which is then compared with the unraveled fingerprint to then authenticate the CA.

Question1: If the digitally signed cert is sent from the CA to the devices, how does the device know which decryption algorithm to use on the signature to unravel the fingerprint and also which hashing algorithm to use to hash the certificate to get the fingerprint which is then compared with the unraveled one.

QUestion2: How does the device know the public key of the CA to decrypt the signature? Does it get it through some OOB means or does it directly use the public key from the CA cert which is sent by the CA. If yes, cant the public key sent by CA be a fraudulent one?

Step3: Local certificate

Once the CA cert is loaded, its time for the local certificate to be loaded.

Before that, the devices generate their own key-pair.

Then, the devices use SCEP to enroll the local cert using the below command.

request security pki local-certificate enroll certificate-id crt_hub challenge-password aaaa domain-name hub.xxxx.net email hub@xxxx.net subject DC=xxxx,CN=hub,OU=marketing,O=xxxx,L=yyyy,ST=zzzz,C=us ca-profile Root-CA ip-address x.x.x.x

Am i right in saying the following are the steps that happens once you hit that command?

1)The PKCS#10 is first formed which contains the public key of its own(the device in this case) and then the subject name and alternativesubject name.

2)This is then hashed to form a fingerprint.

3)The fingerprint is then encrypted using its own private key to form the digital signature.

4)The digitally signed cert is then sent to the other device.

Question: If the Local cert is signed using its own private key, how does the peer authenticate if the local cert contains the other device's public key, subject and then signed using its own private key?

Where does the CA cert come into play in verifying the local cert sent by the peer?

Please do explain, if the previous assumption is wrong and let the know the right procedure.

Answer 1

If not, how do the devices get the CA cert?

it is either preinstalled or installed manually by network administrator. Responses to certificate requests are installed manually by network administrator or automatically if both, client and CA support some protocol, for example SCEP (Simple Certificate Enrollment Protocol). Using SCEP, network device can automatically generate, submit request to CA and install response if certificate is issued.

2)'Public key' along with 'Subject' makes up for the content which is hashed to get the 'fingerprint'.

much more information is used as input for signature calculation. See RFC 5280 §4.1.2 for details on what is used as signature input.

how does the device know which decryption algorithm to use on the signature to unravel the fingerprint and also which hashing algorithm to use to hash the certificate to get the fingerprint which is then compared with the unraveled one.

this information is stored in certificate.

How does the device know the public key of the CA to decrypt the signature?

public key is stored in CA certificate itself. How CA certificate is located? It can be supplied along with TLS connection or located using certificate chaining engine which attempts to build a complete chain starting from end entity certificate to root certificate.

4)The digitally signed cert is then sent to the other device.

after step 3 you get a certificate signing request, which is not a certificate. This request must be routed to CA and receive response in a form of signed certificate. Request and certificate are not interchangeable, they are different objects. You missed a lot of steps between step 3 and step 4. I assume that you are not talking about self-signed certificates (based on step 1 where you mention PKCS#10 which implies the use of CA-signed certificate), thus there are more steps.

Certificate requests are sent to central CA which generates and signs certificates for all parties (A and B). And when peers exchange certificates, receiving peer sees that certificate is signed by external authority and will execute certificate chaining engine to locate CA certificate, extract public key, validate signature and other fields according to RFC 5280 §6.