1
00:00:01,500 --> 00:00:05,640
TKI is another method for implementing cryptography.

2
00:00:05,940 --> 00:00:14,570
It is based on digital certificates that can be used for authentication and encryption API is built

3
00:00:14,570 --> 00:00:22,550
from a certificate authority to identify the organization that owns the digital certificates certificate

4
00:00:22,550 --> 00:00:31,220
authorities handle certificate signing requests for devices participating in the environment every certificate

5
00:00:31,220 --> 00:00:37,400
authority has a root certificate that is used as the main top level certificate once a certificate has

6
00:00:37,400 --> 00:00:38,570
been generated.

7
00:00:38,570 --> 00:00:43,640
It can be used to sign all intermediate and client level certificates.

8
00:00:44,120 --> 00:00:51,020
Once a client trusts a PCI certificate then it will also trust all the certificates signed by that CAA

9
00:00:53,150 --> 00:00:56,570
to retrieve a signed certificate from a certificate authority.

10
00:00:56,570 --> 00:01:03,010
Now what devices can manually generate certificate assigning requests certificate assigning requests

11
00:01:03,020 --> 00:01:09,830
contain information about the network device like a few Deann which stands for fully qualified domain

12
00:01:09,830 --> 00:01:11,310
name.

13
00:01:11,480 --> 00:01:17,310
The CSR will also contain detailed information about the organization that owns the certificate.

14
00:01:19,610 --> 00:01:24,710
When CSR is generated a public and private key pair are created.

15
00:01:24,710 --> 00:01:30,040
Once the CSR is generated it can be submitted to the certificate authority to be signed.

16
00:01:31,490 --> 00:01:36,100
Once the network device receives the science certificate it can be installed.

17
00:01:38,390 --> 00:01:43,240
So you can see a CSR actually be generated on a network device.

18
00:01:43,240 --> 00:01:53,620
I'm logged into a Windows web server and we have the option to create a certificate signing request.

19
00:01:53,690 --> 00:02:00,740
So first we have to answer the common name which is going to be the hostname of the server.

20
00:02:00,830 --> 00:02:05,500
So if the server's name is web dot Cisco dot com.

21
00:02:05,540 --> 00:02:08,320
And that's what we're going to want to enter for its common name

22
00:02:12,070 --> 00:02:17,180
the full DNS name of the server is where I've got carried out home.

23
00:02:17,590 --> 00:02:25,770
Organization will say home I.T. say San Jose

24
00:02:31,710 --> 00:02:36,450
San I've entered the information required for the CSR.

25
00:02:37,350 --> 00:02:41,940
Next I want to say the bit laying out solid 2048

26
00:02:47,370 --> 00:03:00,110
that we have to send the file somewhere I'll just send to the desktop and call it whatever CSR.

27
00:03:00,120 --> 00:03:11,200
So now the CSR is on my desktop I open it up this is what the certificate signing request looks like.

28
00:03:13,070 --> 00:03:21,500
This tax can actually be used to manually fulfill the certificate signing request on the certificate

29
00:03:21,530 --> 00:03:24,000
authority server.

30
00:03:24,180 --> 00:03:26,440
I'm going to copy that.

31
00:03:27,320 --> 00:03:34,850
Now to fulfill my certificate sign request and get it signed by my certificate authority I have web

32
00:03:34,850 --> 00:03:41,040
browsers to my certificate authorities IP address with the search serv path.

33
00:03:41,180 --> 00:03:47,990
Since this is a Windows certificate authority I'm going to say request a certificate.

34
00:03:48,140 --> 00:03:58,100
This will be a advanced certificate request paste in my tax from my CSR that I generated on my web server

35
00:03:59,270 --> 00:04:09,290
and since this is a web server I'm going to select the web server certificate template submit and now

36
00:04:09,290 --> 00:04:12,290
I have the option to download my certificate.

37
00:04:12,290 --> 00:04:14,030
I'm going to choose based 64

38
00:04:20,540 --> 00:04:22,000
saved to my desktop

39
00:04:30,300 --> 00:04:31,560
and take the certificate.

40
00:04:31,610 --> 00:04:33,120
Go back to my web server

41
00:04:35,980 --> 00:04:42,500
and now I have the option to complete certificate request to ask for the file name.

42
00:04:50,860 --> 00:05:00,040
I don't call this web traffic.

43
00:05:00,040 --> 00:05:00,560
There you go.

44
00:05:00,560 --> 00:05:08,480
Now I have completed my certificate request you can see it was issued by my Active Directory root certificate

45
00:05:08,480 --> 00:05:09,620
authority.

46
00:05:09,620 --> 00:05:15,950
And now if I wanted to I get assigned the certificate as my web servers identity certificate for any

47
00:05:15,950 --> 00:05:19,660
age to keep us secure connections.

48
00:05:20,150 --> 00:05:27,770
In addition to a manual CSR there is a protocol available called up simple certificate enrollment protocol.

49
00:05:28,240 --> 00:05:34,820
Some requests are sent via HTP over the network and providing a way for network devices to automatically

50
00:05:34,820 --> 00:05:38,740
retrieve a certificate without manual intervention.

51
00:05:42,110 --> 00:05:48,440
Once the network device has a signed certificate it is considered to be an identity certificate identity

52
00:05:48,440 --> 00:05:55,390
certificates can be used as a credential for authentication and to encrypt data.

53
00:05:56,090 --> 00:06:05,190
All identity certificates have an expiration date to control the validity of the certificate.

54
00:06:05,190 --> 00:06:08,040
So how do you network devices use certificates.

55
00:06:08,040 --> 00:06:11,480
Let's first talk about how they can be used for encryption.

56
00:06:11,880 --> 00:06:18,850
A great example is a secure web server web servers that are accessed via aist ass.

57
00:06:18,960 --> 00:06:25,820
Use their identity certificate to encrypt data for data exchanges with web clients.

58
00:06:25,880 --> 00:06:32,300
The server first response to the client request with its public key and certificate.

59
00:06:33,080 --> 00:06:38,930
If the client trusts the CAA that signed the Web servers identity certificate then the client continues

60
00:06:38,930 --> 00:06:45,650
to communicate and sends encrypted data back to the server using the public key to encrypt the data

61
00:06:47,330 --> 00:06:53,960
data that is encrypted with a of ISIS public key can only be decrypted with the associated private key

62
00:06:54,170 --> 00:06:59,080
which is only known by the server.

63
00:06:59,090 --> 00:07:05,360
This has been an example of asymmetric encryption since different keys were used for encryption and

64
00:07:05,360 --> 00:07:14,300
decryption within the asymmetric encryption exchange asymmetric key is secretly created which then can

65
00:07:14,300 --> 00:07:24,360
be used to create a secure encrypted channel for the HTP session between the client and server.

66
00:07:24,360 --> 00:07:31,260
Let's take a look at a real world example of how a certificate can be used by a secure web server to

67
00:07:31,260 --> 00:07:33,030
encrypt a session.

68
00:07:33,190 --> 00:07:40,870
When we go to secure web sites with HTP as our web browsers have trusted root certificate authorities

69
00:07:41,350 --> 00:07:47,820
that they use to validate certificates that are sent in responses from secure servers.

70
00:07:49,320 --> 00:08:00,070
So if I go to my certificates store on this web browser and go to trust the root certificate authorities

71
00:08:00,520 --> 00:08:05,980
Here's the certificate authorities that my Google Chrome web browser trusts.

72
00:08:06,220 --> 00:08:13,720
So if I go to a secure Web site and the secure web server certificate that it presents was signed by

73
00:08:13,720 --> 00:08:20,040
one of the certificate authorities then my web browser will trust the certificate and allow the connection.

74
00:08:20,500 --> 00:08:28,300
And as you can see here usually you'll see a green certificate icon letting you know that your web browser

75
00:08:28,330 --> 00:08:33,790
trusts the certificate that the web server has responded with.

76
00:08:33,790 --> 00:08:36,460
So of course Google would be in my trust the root store.

77
00:08:36,460 --> 00:08:44,820
So if I click on that go to details I can actually view the certificate that Google responded with.

78
00:08:45,070 --> 00:08:53,320
So you can see that the certificate was issued to www.youtube.com issued by the Google Internet authority

79
00:08:54,460 --> 00:08:58,650
and the certificates valid until March of 2017.

80
00:08:59,500 --> 00:09:06,150
And then if you look at the details we can see some encryption algorithm information.

81
00:09:06,580 --> 00:09:13,480
And typically the actual name that the web browser is looking for the match for is with the subject

82
00:09:14,410 --> 00:09:16,330
or the sand field.

83
00:09:16,330 --> 00:09:28,160
So for example if I put in the IP address of Google dot com instead of this few Deann then the web browser

84
00:09:28,160 --> 00:09:34,220
would not consider the certificate to be trusted because when I put in the web browser did not match

85
00:09:34,360 --> 00:09:37,600
what the certificate was provision for.

86
00:09:37,820 --> 00:09:43,760
So I always know that you got your host name that you put in your you are able to match what the certificate

87
00:09:44,120 --> 00:09:49,780
is set for so that your web browser trusts the certificate.

88
00:09:49,910 --> 00:09:54,440
And we look at the certificate path you can see the root certificate authority than the intermediate

89
00:09:54,530 --> 00:09:55,080
authority.

90
00:09:55,100 --> 00:10:04,070
So the root sign a search for this Google Internet authority G-2 and then this intermediate authority

91
00:10:04,070 --> 00:10:12,010
actually sign of the identity certificate that the Google web server is using.

92
00:10:12,020 --> 00:10:16,590
Next let's talk about how certificates can be used for authentication.

93
00:10:16,610 --> 00:10:24,540
An example would be for VPN connections if a VPN client sends a certificate as its credentials.

94
00:10:24,830 --> 00:10:32,860
DPN Gateway's can authorize the VPN connection if it trust the CAA that sign the client certificate

95
00:10:34,050 --> 00:10:42,100
username is within client certificate subject names can also be used for differentiated access.

96
00:10:42,110 --> 00:10:49,280
So for example the VPN gateway could have an access rule that only allows the user Jadot to access routers

97
00:10:49,280 --> 00:10:52,190
on the network through VPN connections.

98
00:10:52,400 --> 00:10:58,250
If a certificate was assigned to Jadot then their username would be within the certificate information

99
00:10:58,640 --> 00:11:01,580
and could be used to receive the special access

100
00:11:05,430 --> 00:11:08,780
to police of certificates are still valid or not.

101
00:11:08,790 --> 00:11:13,370
Certificates can be checked against a revoke Haitian list.

102
00:11:13,570 --> 00:11:22,350
And if a certificate has been revoked by a certificate server then certificates can be denied by devices

103
00:11:22,350 --> 00:11:26,240
like firewalls that are checking for authentication access

104
00:11:29,070 --> 00:11:36,180
certificates can be created in many formats based on a subdural public key cryptography standards.

105
00:11:36,180 --> 00:11:39,060
This list of standard should be known for the exam.