Please do mind, its a long read. I just confused myself again with how the CA server helps with the digital signature and the pki working flow. Please let me know if what I am describing below is the right.
Before that, let me have a topology. 'A', 'B' are the 2 devices using PKI to authenticate each other for VPN and then we have 'CA' Will refer to A and B as devices and CA as CA.
Step1: Generating CA certificate
'request security pki ca-certificate enroll ca-profile Root-CA'
The above command requests the CA server to send the CA certificate to A and B and they load the certificate.
Question1: Does that command help the devices send a message to the CA and then does the CA respond to it by sending the digitally signed certificate and the device load it?
If not, how do the devices get the CA cert?
Step2: CA certificate
Regarding the CA cert, am I right to say that, the digitally signed CA cert is generated as below:
1)CA generates its key-pair
2)'Public key' along with 'Subject' makes up for the content which is hashed to get the 'fingerprint'.
3)The fingerprint is then encrypted using its own private key to form a digital signature which is attached to the certificate to form a digitally signed CA certificate.
4)This is then sent to the devices and then the devices decrypt the Signature using the public key of the CA to unravel the fingerprint.
5)Then, the devices hash the certificate received from the CA to get a fingerprint which is then compared with the unraveled fingerprint to then authenticate the CA.
Question1: If the digitally signed cert is sent from the CA to the devices, how does the device know which decryption algorithm to use on the signature to unravel the fingerprint and also which hashing algorithm to use to hash the certificate to get the fingerprint which is then compared with the unraveled one.
QUestion2: How does the device know the public key of the CA to decrypt the signature? Does it get it through some OOB means or does it directly use the public key from the CA cert which is sent by the CA. If yes, cant the public key sent by CA be a fraudulent one?
Step3: Local certificate
Once the CA cert is loaded, its time for the local certificate to be loaded.
Before that, the devices generate their own key-pair.
Then, the devices use SCEP to enroll the local cert using the below command.
request security pki local-certificate enroll certificate-id crt_hub challenge-password aaaa domain-name hub.xxxx.net email hub@xxxx.net subject DC=xxxx,CN=hub,OU=marketing,O=xxxx,L=yyyy,ST=zzzz,C=us ca-profile Root-CA ip-address x.x.x.x
Am i right in saying the following are the steps that happens once you hit that command?
1)The PKCS#10 is first formed which contains the public key of its own(the device in this case) and then the subject name and alternativesubject name.
2)This is then hashed to form a fingerprint.
3)The fingerprint is then encrypted using its own private key to form the digital signature.
4)The digitally signed cert is then sent to the other device.
Question: If the Local cert is signed using its own private key, how does the peer authenticate if the local cert contains the other device's public key, subject and then signed using its own private key?
Where does the CA cert come into play in verifying the local cert sent by the peer?
Please do explain, if the previous assumption is wrong and let the know the right procedure.