WEBVTT 00:01.540 --> 00:02.560 What I stand for. 00:02.610 --> 00:04.990 PKI Public Key Infrastructure. 00:06.280 --> 00:06.420 Okay. 00:06.460 --> 00:12.450 Until now, what we have seen is let's say I wanted to create a site to site tunnel between R1 and R3, 00:12.460 --> 00:15.490 two different sites connected to the Internet. 00:16.030 --> 00:16.630 Right. 00:16.840 --> 00:18.670 Everything else is public right here. 00:23.140 --> 00:23.830 Since I can. 00:27.700 --> 00:29.020 Everything else is public. 00:31.540 --> 00:32.020 This. 00:36.630 --> 00:37.170 The board. 00:45.910 --> 00:46.230 You know. 00:51.040 --> 00:51.280 Right. 00:51.280 --> 00:51.610 So. 00:53.310 --> 00:54.390 So the Internet, right. 00:54.810 --> 00:57.780 You're connected to the Internet and your job is to do what? 00:58.560 --> 01:00.180 Is to connect the two sides together. 01:00.300 --> 01:01.980 What we've been doing until now. 01:09.090 --> 01:09.360 Right. 01:09.360 --> 01:11.250 Connecting the two sides together. 01:16.540 --> 01:17.470 Across the Internet. 01:18.850 --> 01:23.470 The question is, until now, we were using all but three schedules. 01:24.130 --> 01:25.450 We saw how Pre-shared keys work. 01:25.450 --> 01:30.940 So when they used to authenticate each other in the fifth and the sixth packet of your IPsec Transformed 01:30.970 --> 01:35.500 IPsec exchange, your pre-shared key. 01:36.620 --> 01:37.890 Used to be sent across. 01:38.910 --> 01:42.390 Just a key Cisco from here, Cisco from the other side. 01:42.390 --> 01:43.710 But I'll ask you this question. 01:43.710 --> 01:44.730 Is it scalable? 01:45.790 --> 01:47.770 But is it safe to use a pre-shared key? 01:48.610 --> 01:52.270 Say, for example, tomorrow you are in a public environment where. 01:56.140 --> 01:57.460 But you have something like this. 01:57.910 --> 01:59.710 You have one side. 01:59.740 --> 02:00.030 Okay. 02:00.040 --> 02:00.520 Here. 02:02.700 --> 02:03.660 Then are two. 02:04.620 --> 02:05.130 All three. 02:06.240 --> 02:06.900 After. 02:08.170 --> 02:08.860 At five. 02:09.840 --> 02:10.580 Our six. 02:12.080 --> 02:13.340 Let's say you have seven types. 02:16.610 --> 02:17.840 All connected together. 02:19.800 --> 02:21.880 Using maybe dmvpn. 02:24.910 --> 02:25.150 Right. 02:25.630 --> 02:29.500 If I use a Pre-shared key of Cisco, for example, on all of them. 02:30.160 --> 02:34.260 If one of them gets compromised, right. 02:34.270 --> 02:36.550 If, for example, the guy sitting at this site. 02:37.000 --> 02:41.860 Is fired and he gives out the pre-shared key to someone else. 02:42.730 --> 02:45.550 The guy can come in and go to all of them, right? 02:45.550 --> 02:50.200 He can just create a tunnel with all of those guys, all of these other sites. 02:50.500 --> 02:51.430 Not scalable. 02:51.430 --> 02:52.150 Not feasible. 02:52.150 --> 02:52.540 Right. 02:53.130 --> 02:56.280 So what you would do is you could have different scales for each site. 02:57.350 --> 03:04.610 So for R1 from R1 to R2, I would have a different scale from one to R3, a different scale, a different 03:04.610 --> 03:06.230 one, a different one, a different one. 03:06.380 --> 03:11.830 But again, the scalability problem would come more sites, more complexity to create the tunnels. 03:13.020 --> 03:15.480 Plus what about spoke to spoke communication? 03:16.870 --> 03:17.920 More complexity. 03:19.060 --> 03:19.790 So it is okay. 03:19.810 --> 03:25.330 It's good for a small site or you have 2 or 3 sites, it's fine, but the more you grow. 03:26.220 --> 03:28.950 The more you grow, the more problems it causes the preset. 03:30.800 --> 03:35.900 Unless you're fine with having the same SQL in all your networks, which is again, not safe. 03:37.170 --> 03:39.150 Security is as strong. 03:39.840 --> 03:41.070 As your weakest link. 03:42.330 --> 03:42.570 Right. 03:43.080 --> 03:47.730 If your link is weak anywhere along the chain, for example, think about it as a chain. 03:47.910 --> 03:48.410 Right? 03:48.420 --> 03:49.260 Those cuffs. 03:49.780 --> 03:52.000 If any one small link is weak. 03:52.030 --> 03:54.110 It's all I mean, the whole point is lost. 03:54.130 --> 03:55.090 The same thing here. 03:55.920 --> 04:01.050 You will have IPCC three days running as running triple des everything across the tunnel. 04:01.050 --> 04:02.300 Sha MD5. 04:02.760 --> 04:04.320 If you don't have the key. 04:04.890 --> 04:09.120 And if this gets compromised, your whole security system crashes. 04:09.660 --> 04:10.890 How do we fix this? 04:10.920 --> 04:11.790 We use PCA. 04:12.180 --> 04:13.230 Now, what is PCA? 04:14.830 --> 04:19.630 You'll use this a lot in web VPN, SSL, VPN, so I'll give you a good idea about how it works. 04:20.390 --> 04:26.360 Like, Yeah, it's a certificate authorities, Right. 04:26.690 --> 04:27.890 Let's talk about the bank. 04:29.340 --> 04:32.250 Talk about the bank, a website when you open a website. 04:34.250 --> 04:35.840 You have, for example. 04:37.050 --> 04:37.890 HDFC Bank. 04:39.990 --> 04:41.250 They have a website, right? 04:43.550 --> 04:45.020 When you open their website. 04:46.280 --> 04:53.330 You open their website, you enter your customer details, your password and all that information in 04:53.330 --> 04:53.960 the website. 04:55.240 --> 04:56.350 Do you create a VPN? 04:58.110 --> 04:59.640 Do you by yourself create a VPN? 04:59.670 --> 05:01.740 Do you open a client to connect? 05:01.950 --> 05:04.020 Do you use IPsec parameters? 05:04.050 --> 05:05.940 No, we don't use anything like that. 05:07.260 --> 05:08.520 We don't use anything like that. 05:08.550 --> 05:08.850 Why? 05:08.880 --> 05:09.510 Because this. 05:09.510 --> 05:11.400 This VPN is known as Clientless VPN. 05:12.300 --> 05:12.840 Thin client. 05:13.890 --> 05:14.610 Sorry, not. 05:14.790 --> 05:16.590 Thin client is for client less. 05:17.750 --> 05:20.450 But you use through a browser client list. 05:20.450 --> 05:20.750 We do. 05:21.290 --> 05:22.610 What do we mean by that? 05:22.610 --> 05:23.960 Let's open the website. 05:24.050 --> 05:26.030 Let's open any website out there now. 05:29.110 --> 05:29.210 You. 05:30.320 --> 05:31.130 Yes, exactly. 05:31.130 --> 05:33.500 That's that's what's that's what's is. 05:34.130 --> 05:35.210 It's a secure tunnel. 05:35.210 --> 05:38.000 So when I, let's say, continue to net banking. 05:39.140 --> 05:43.040 The moment you see this green sign here, that means your VPN is connected. 05:43.970 --> 05:45.080 It's a VPN connected. 05:45.080 --> 05:50.480 If you click on it and you go to your connection, it'll show you the connection is encrypted using 05:50.480 --> 05:55.760 a mechanism, plus it uses MD5 for authentication and RSA as the key exchange mechanism. 05:56.930 --> 05:58.160 You didn't do anything. 05:58.190 --> 05:59.840 It connected automatically. 06:01.880 --> 06:04.490 The question is where did the authentication take place? 06:06.150 --> 06:06.390 How? 06:06.390 --> 06:07.440 When did I authenticate? 06:07.440 --> 06:09.240 I did not do anything about authentication. 06:09.240 --> 06:09.660 Right? 06:09.870 --> 06:15.210 It automatically authenticated HDFC bank.com if you check the authentication was done. 06:16.220 --> 06:17.390 Based on a certificate. 06:19.040 --> 06:24.920 As Zfc showed me a certificate, it said, okay, listen, this is my certificate. 06:26.070 --> 06:29.660 My certificate has been assigned to nit bookings.com. 06:29.700 --> 06:31.710 These are the details of the certificate. 06:32.690 --> 06:32.960 Right. 06:33.140 --> 06:34.790 And this is the path where it sold. 06:35.000 --> 06:36.620 It has been signed by VeriSign. 06:37.490 --> 06:39.770 The question is, who is to stop? 06:40.420 --> 06:43.780 Someone else tomorrow from creating an exact same site. 06:44.750 --> 06:46.040 And giving you a certificate. 06:46.780 --> 06:47.620 Who is to stop that? 06:50.200 --> 06:50.830 The sea is a. 06:52.010 --> 06:53.990 Not the server, your browser will stop it. 06:54.170 --> 06:56.630 But let me explain how this works. 06:57.260 --> 06:58.880 Now what happens is. 07:00.490 --> 07:01.450 When you zfc. 07:02.800 --> 07:05.350 And you want to authenticate yourself on the Internet. 07:05.920 --> 07:08.960 Think of the server as an authority. 07:08.980 --> 07:13.180 It is called a certificate authority, but think of it as as a government authority. 07:15.490 --> 07:16.150 As a government. 07:16.480 --> 07:21.940 The best example I could think of is let's say you have license, right? 07:22.210 --> 07:22.570 Driving. 07:22.570 --> 07:23.320 License. 07:23.350 --> 07:25.090 Who signs your driving license? 07:26.360 --> 07:26.750 How do you. 07:27.810 --> 07:28.670 It does, right? 07:28.680 --> 07:34.380 So when you walk, when you're on the field, right, you're riding your bike, cop stops you, you 07:34.380 --> 07:35.580 show him a license. 07:35.610 --> 07:37.080 How does he accept it? 07:37.080 --> 07:38.720 Only if it's signed by the RTU. 07:38.760 --> 07:44.690 If you go if you go home and you print a page, a piece of paper and you write, This is my license, 07:44.700 --> 07:49.290 my name is this, and I'm authorized to drive in India, Will you accept it? 07:50.010 --> 07:52.380 The only reason he accepts it is why. 07:52.710 --> 07:55.470 Because it has been signed by the team. 07:55.770 --> 07:58.410 That is the whole concept behind certificate authorities. 07:59.310 --> 08:00.330 The whole concept. 08:00.630 --> 08:07.470 So what HDFC Bank has to do to register themselves is there are well known case out there, some of 08:07.470 --> 08:07.890 them. 08:10.150 --> 08:10.690 Very sign. 08:11.770 --> 08:12.490 There's Go, Daddy. 08:15.710 --> 08:16.100 Let's go. 08:16.100 --> 08:16.430 Sit. 08:17.480 --> 08:19.070 Some Fed member correctly. 08:20.170 --> 08:23.090 There's many out there, but these are trusted authorities. 08:24.450 --> 08:27.360 These are the ratios of your Internet. 08:28.720 --> 08:30.730 So tomorrow when HDFC Bank comes in. 08:34.520 --> 08:35.990 They want to register themselves. 08:36.020 --> 08:41.090 What the way they do it is HDFC has to create a set of keys. 08:42.300 --> 08:44.640 RSA Keys, a public key and a. 08:48.590 --> 08:49.550 A public and a private. 08:50.740 --> 08:51.400 A set of keys. 08:51.400 --> 08:54.490 Now, the size of this keys key does not matter. 08:54.640 --> 08:55.890 I mean, it's up to them. 08:55.900 --> 09:01.690 The stronger the key, the stronger the encryption, the bigger the key, the better the encryption. 09:02.760 --> 09:09.540 So the HDFC Bank, what it does is it says, okay, since I need to get registered, it takes the public 09:09.540 --> 09:10.050 key. 09:10.620 --> 09:11.730 Gives it to whom? 09:13.530 --> 09:14.100 The is a. 09:15.210 --> 09:15.520 Tell them. 09:15.540 --> 09:15.900 Listen. 09:16.820 --> 09:17.840 I'm HDFC Bank. 09:18.140 --> 09:19.410 This is my public key. 09:19.430 --> 09:20.990 Please sign my public key. 09:23.090 --> 09:24.830 Please sign my public key. 09:25.420 --> 09:34.940 Now, the server doesn't just sign the public key, it will ask HDFC Bank to submit documents, do verification, 09:34.940 --> 09:40.430 and go through all that process where it makes sure that HDFC Bank is HDFC Bank. 09:42.270 --> 09:47.970 Because if tomorrow it doesn't it's not I mean, it is realized that it's not actually HDFC Bank. 09:48.150 --> 09:50.280 The server is going to get into trouble. 09:50.580 --> 09:56.110 So it's their job to verify whoever they're giving out the certificates to are valid people. 09:57.840 --> 09:58.230 Correct. 09:59.690 --> 10:02.530 So that's what we do with the public key. 10:02.540 --> 10:03.680 Go to the CA server. 10:03.710 --> 10:05.240 The server will sign it. 10:06.250 --> 10:10.060 The private key of HDFC Bank remains with it doesn't give it out. 10:10.060 --> 10:10.840 Private key. 10:10.870 --> 10:12.820 Always remember, always stays. 10:16.740 --> 10:17.910 It's never thrown out. 10:18.480 --> 10:19.590 The private key will always remain. 10:20.670 --> 10:22.980 The only thing that was given out was the public key. 10:24.230 --> 10:28.550 Now, if we have that, how does the K sign it? 10:28.880 --> 10:29.900 That is the question. 10:30.820 --> 10:32.770 How does the server sign this certificate? 10:35.110 --> 10:37.930 The server has also a set of. 10:39.780 --> 10:41.490 Private and. 10:43.970 --> 10:44.510 Public. 10:45.550 --> 10:47.350 It has its own set of private and public. 10:49.050 --> 10:49.410 Right. 10:49.410 --> 10:51.030 So when you come with your public key. 10:52.330 --> 10:55.060 It's not just the public key you're going in. 10:55.980 --> 10:56.640 With. 10:58.220 --> 11:00.560 And I see an identity certificate. 11:01.780 --> 11:05.320 Which includes your public key and your name saying I am HDFC. 11:07.460 --> 11:14.150 Back and maybe your interface address or certain other information which you want, but usually it's 11:14.150 --> 11:18.410 just the name saying, okay, this is my public key and I'm HDFC bank.com. 11:18.410 --> 11:20.300 You just don't throw away the public key. 11:20.330 --> 11:22.760 You present it right. 11:23.590 --> 11:27.220 In an ache with your name and everything saying, this is from me. 11:27.250 --> 11:28.330 Please sign this. 11:29.530 --> 11:33.850 When the moment this icy reaches the CA, what the CA does, he says okay. 11:33.880 --> 11:35.050 First he verifies you. 11:35.080 --> 11:40.030 Once you are verified, it will write here on this icy. 11:42.040 --> 11:45.760 Say signed by VeriSign. 11:50.140 --> 11:55.300 It will write its own name, but this name will not be available. 11:56.090 --> 11:57.860 This name will be encrypted. 12:02.880 --> 12:03.600 Encrypted. 12:03.600 --> 12:04.410 Using what? 12:05.130 --> 12:05.970 The private key. 12:05.970 --> 12:06.450 Of whom? 12:07.420 --> 12:08.070 The CSM. 12:09.210 --> 12:13.560 This name will be encrypted using the private key of the. 12:14.880 --> 12:15.990 You might ask why? 12:16.320 --> 12:17.220 I'll explain why. 12:19.020 --> 12:19.320 Right. 12:19.320 --> 12:20.490 And he gives it back. 12:24.660 --> 12:28.890 Anybody in the middle can also act as excuse anybody can just create a certificate. 12:28.890 --> 12:30.090 And on that certificate. 12:30.090 --> 12:30.620 Right. 12:30.630 --> 12:31.200 Very sign. 12:33.240 --> 12:37.740 So what we're saying does is it writes VeriSign but encrypts it using its own private key. 12:38.250 --> 12:40.260 Let's see how that is useful now. 12:40.290 --> 12:42.030 HDFC Bank has what? 12:43.130 --> 12:43.990 An I see. 12:44.020 --> 12:46.000 We call it an icy identity certificate. 12:47.370 --> 12:49.800 When you go and create a connection tomorrow with it. 12:51.030 --> 12:55.510 I'm sitting here when you go and create a connection with it, right? 12:55.530 --> 12:57.600 You try to create that SSL connection with it. 12:57.600 --> 12:58.830 It presents to you. 12:58.860 --> 12:59.370 What? 13:00.620 --> 13:01.070 This is. 13:01.950 --> 13:03.260 He has received it, right? 13:03.500 --> 13:04.920 It presents to you This I. 13:06.690 --> 13:08.140 Now it's your job. 13:08.160 --> 13:09.210 Do you accept this? 13:09.240 --> 13:09.570 I see. 13:09.720 --> 13:10.680 Or do you not? 13:13.090 --> 13:13.860 You might have seen. 13:13.860 --> 13:19.540 Sometimes when you're trying to create a connection, you get that red mark saying, Please proceed. 13:19.560 --> 13:22.890 Please click okay or please proceed at your own risk. 13:23.740 --> 13:24.000 Right. 13:24.000 --> 13:26.290 It's not Https, it's with the cross. 13:26.310 --> 13:31.020 That's because the certificate that company is showing you is not verified. 13:31.930 --> 13:34.160 And we'll see in a moment what that means. 13:34.200 --> 13:36.700 What has not verified itself. 13:38.190 --> 13:41.400 Let's see how now, when it presents to you the certificate. 13:41.850 --> 13:42.390 Right. 13:42.750 --> 13:44.280 You need to verify. 13:44.280 --> 13:46.650 Is this actually coming from the RTU? 13:47.790 --> 13:51.510 Is it actually coming from VeriSign or GoDaddy or all of those people? 13:51.540 --> 13:52.890 How will you know that? 13:57.080 --> 13:57.890 The CIA. 13:58.250 --> 13:58.850 Why? 13:58.940 --> 14:00.410 Why are these people known? 14:01.040 --> 14:03.500 Why is VeriSign, GoDaddy and GoDaddy? 14:03.530 --> 14:06.080 Go search all of these people, all of these CEOs. 14:06.110 --> 14:08.060 Why are they famous? 14:08.630 --> 14:10.220 First of all, they are famous. 14:10.430 --> 14:11.150 They are there. 14:11.180 --> 14:11.390 They are. 14:11.390 --> 14:13.040 The car's registered keys. 14:13.070 --> 14:16.640 Since they are the keys, what your browsers have done. 14:17.920 --> 14:20.200 If you go to your browser settings. 14:21.130 --> 14:24.850 And you go to your SSL section. 14:27.380 --> 14:30.140 In your root certificates, you will see. 14:31.560 --> 14:33.000 A lot of certificates out there. 14:34.050 --> 14:34.830 There's a very sign. 14:36.210 --> 14:38.850 That is secure trust. 14:40.280 --> 14:45.720 Globalsign Geotrust is their globalsign Is there a lot of them? 14:45.740 --> 14:49.190 These are all trusted authorities on the internet. 14:49.810 --> 14:50.880 What you have here. 14:50.890 --> 14:52.150 Can you guess what this is? 14:54.960 --> 14:57.890 These are the public keys of all the keys. 14:59.780 --> 15:01.160 Everybody already has them. 15:03.020 --> 15:07.430 Everybody in the world, every browser in the world will have the public key of the. 15:08.620 --> 15:10.260 And that's what helps you right now. 15:10.270 --> 15:13.570 What you have here is we call this trusting the car. 15:16.140 --> 15:19.050 What you have here already is what? 15:20.690 --> 15:21.350 Public. 15:23.220 --> 15:24.980 Off the CSL. 15:26.090 --> 15:30.010 So when you get the certificate, what what do I do with the public key? 15:31.880 --> 15:33.530 I tried to decrypt the name. 15:35.940 --> 15:39.030 I tried to decrypt the name of the guy who signed the certificate. 15:39.390 --> 15:43.650 The only one way I can open this up is if it was signed by a. 15:45.320 --> 15:47.330 That's the only way I can sign it. 15:47.330 --> 15:47.990 I can see it. 15:49.160 --> 15:49.490 Right. 15:50.750 --> 15:52.030 We don't have to go to the car. 15:52.370 --> 15:54.150 We just get the certificate. 15:54.170 --> 15:55.730 If I can open it. 15:55.760 --> 15:59.030 The only one way I can open it, if it is signed by the private or the. 15:59.840 --> 16:05.450 Anybody in the world who signs it, I won't be able to open it because I have the public of the sea. 16:06.380 --> 16:09.080 Public from policy is actually. 16:10.200 --> 16:10.680 It's actually. 16:12.100 --> 16:12.450 From this. 16:12.910 --> 16:13.380 From this. 16:14.250 --> 16:15.210 It's not an icy. 16:15.510 --> 16:18.720 It's its an icy with the name on it inside. 16:18.720 --> 16:19.560 That is the key. 16:20.450 --> 16:21.950 But you can also see it is a. 16:23.460 --> 16:24.960 Exactly similar to the. 16:26.950 --> 16:29.200 You can see the key if you go in here. 16:31.980 --> 16:32.470 Any key. 16:33.120 --> 16:33.870 Let's click on it. 16:35.020 --> 16:37.270 Go to the details to see the public key. 16:39.520 --> 16:43.030 So you have a public key, plus you have more information in the certificate. 16:44.320 --> 16:47.280 These are also certificates which you have installed publicly. 16:47.290 --> 16:47.800 Of whom? 16:48.410 --> 16:52.280 The server installed on you so as a review. 16:52.850 --> 16:55.640 What you do is as a review. 16:58.800 --> 17:00.540 As will go with its public key. 17:00.570 --> 17:01.280 To whom? 17:01.290 --> 17:02.220 The server. 17:02.250 --> 17:03.690 The server will sign it. 17:03.690 --> 17:04.440 Using what? 17:06.610 --> 17:07.120 The private. 17:08.010 --> 17:09.570 Gives it back to HDFC Bank. 17:09.780 --> 17:12.020 Now HDFC goes to anybody in the world. 17:12.030 --> 17:13.560 Everyone has the public of this year. 17:13.560 --> 17:14.850 They'll be able to open it. 17:15.670 --> 17:17.980 How does it protect you from the intruders? 17:20.190 --> 17:22.320 They will never be signed by VeriSign. 17:22.350 --> 17:23.940 They will never be signed by Geotrust. 17:23.970 --> 17:25.620 They will never be signed by Globalsign. 17:27.100 --> 17:28.690 That's how you're protected in Islam. 17:28.900 --> 17:34.780 So when they show you the certificate, whatever is whoever signed their certificate, you don't have 17:34.780 --> 17:35.920 the public key of that. 17:37.950 --> 17:39.420 So you're not able to open it. 17:45.240 --> 17:45.960 The public key. 17:47.310 --> 17:49.170 You mean you're talking about the intruder? 17:50.250 --> 17:50.700 Yeah. 17:56.440 --> 17:57.550 To decrypt it. 17:58.060 --> 18:00.520 Usually you have a certain you have it written. 18:00.670 --> 18:03.040 Usually very sign is also written somewhere else. 18:03.130 --> 18:05.060 So it tries to open it using VeriSign. 18:06.320 --> 18:11.450 The sign, the actual sign signature, he has to open the signature, but it's also specified in the 18:11.490 --> 18:12.320 oh or something. 18:12.320 --> 18:15.050 Somewhere along the way it's written that it's actually very simple. 18:16.310 --> 18:17.600 Then he tries to open it. 18:17.630 --> 18:23.380 If it cannot open it, that that signature that is coming through, then it doesn't accept it. 18:23.390 --> 18:26.480 Even if it says it's very sign, it will not accept it. 18:28.190 --> 18:28.490 Right. 18:29.680 --> 18:35.650 There you can see it now when you open Zfc and you click here. 18:35.710 --> 18:42.640 Connection The identity of HDFC Bank Limited at whatever address is written here, has been verified 18:42.640 --> 18:47.110 by VeriSign Class three Extended SSL, CA. 18:49.250 --> 18:50.240 Certificate authority. 18:52.000 --> 18:55.930 And whatever this certificate authority is, I do have its public key. 18:56.320 --> 18:57.800 That means it's valid. 18:57.820 --> 18:59.500 This is HDFC bank.com. 19:00.310 --> 19:02.350 So whenever you see this green mark. 19:03.180 --> 19:03.840 You're safe. 19:05.400 --> 19:06.690 You know that this is a trusted. 19:06.690 --> 19:07.140 Basically. 19:07.140 --> 19:08.340 You are the police officer. 19:08.370 --> 19:12.330 This is the guy showing you the arc and you're making sure that it is signed by the. 19:15.070 --> 19:15.400 Right. 19:15.550 --> 19:17.770 Do you understand how the intruders cannot come now? 19:21.240 --> 19:22.350 I'd ask you a question then. 19:22.830 --> 19:29.640 What if you wanted to create your own server and you have hundreds of people in your company and you 19:29.640 --> 19:33.780 want to host that server in there, but you need to create SSL connection to it. 19:34.170 --> 19:38.760 The problem is whenever they try to connect, they get that message that it's not safe and they need 19:38.760 --> 19:40.140 to click and proceed anyway. 19:40.230 --> 19:41.940 How do you prevent that from happening? 19:44.040 --> 19:48.810 Inside the public key of whoever signed that certificate on all the pieces. 19:50.920 --> 19:52.900 Install the public key on all the PCs. 19:52.930 --> 19:56.890 Once that is installed, whatever certificate they get, they will accept it. 19:58.480 --> 19:59.770 So this part here. 20:04.310 --> 20:05.810 This right here. 20:05.900 --> 20:07.010 Very dangerous. 20:08.500 --> 20:12.670 If you install a public key there, it's very dangerous because anything signed by that private key 20:12.760 --> 20:15.580 of the same public key, you'll accept it. 20:18.060 --> 20:18.510 I'll show you. 20:19.920 --> 20:20.430 I'll show you how to. 20:21.850 --> 20:23.500 But dangerous. 20:24.340 --> 20:24.570 Right. 20:24.580 --> 20:25.420 Not recommended. 20:26.430 --> 20:31.590 Unless you know that it's a controlled environment, unless you know it's your lab environment or it's 20:31.590 --> 20:32.550 your own company. 20:32.580 --> 20:33.860 The users are controlled. 20:33.870 --> 20:34.410 It's fine. 20:35.370 --> 20:35.720 Let's see. 20:36.160 --> 20:37.240 We'll see that again. 20:37.450 --> 20:43.420 Now, the question is, this was just about a basic idea of how it works with SSL. 20:43.450 --> 20:47.090 We'll have a we'll have more detailed look about it with SSL VPN. 20:47.110 --> 20:49.900 For now, how does it work here? 20:50.900 --> 20:51.980 In site to site VPN. 20:53.210 --> 20:53.870 Simple. 20:54.440 --> 20:59.030 I have a CI CD server now instead of R1 sending the SRC. 20:59.210 --> 21:04.460 What I'll do is I'll register R1, create a set of keys, public and private. 21:04.490 --> 21:05.450 Take the public key. 21:05.450 --> 21:05.960 To whom? 21:07.090 --> 21:09.070 The server and. 21:09.840 --> 21:10.440 Get the. 21:11.390 --> 21:11.870 I see. 21:12.960 --> 21:13.460 May I see? 21:13.530 --> 21:14.280 Signed by whom? 21:14.460 --> 21:15.270 The server. 21:16.290 --> 21:21.330 When I present my certificate to R3, will he accept it? 21:24.760 --> 21:28.330 What is the only one way that it will accept that certificate? 21:29.170 --> 21:33.670 First, I have to install the public key of this PKI server on both of them. 21:36.030 --> 21:38.580 First, the public key has to be installed on both of them. 21:38.580 --> 21:43.980 Once you install that public key, then when r one presents its certificate to r three. 21:45.320 --> 21:47.240 It's signed by the PCA server. 21:48.440 --> 21:52.880 It will accept it because it's signed by the server which you already trust. 21:54.870 --> 21:58.890 Same thing from the other side when I present my IC to the other side. 21:59.530 --> 22:01.080 Our one has to trust the PCA. 22:01.110 --> 22:05.700 When I say trust, it should have the public key so that it can decrypt the whatever is written. 22:07.220 --> 22:07.820 On the other side. 22:09.360 --> 22:10.230 Any questions? 22:12.500 --> 22:13.040 Is it clear? 22:15.270 --> 22:15.510 Here. 22:16.350 --> 22:16.740 Right. 22:17.460 --> 22:19.620 We'll see how it we'll see how it's done. 22:19.620 --> 22:20.530 Now, the public key. 22:20.550 --> 22:22.860 You're not using for anything, by the way, right now. 22:23.070 --> 22:25.080 Not for encryption, not for decryption. 22:25.080 --> 22:25.710 It's only used. 22:25.710 --> 22:26.260 For what? 22:26.310 --> 22:27.330 Identification. 22:27.330 --> 22:28.080 That's it. 22:28.110 --> 22:30.900 This I see is not used for anything else. 22:31.910 --> 22:33.830 Just identification that. 22:33.830 --> 22:34.130 Okay? 22:34.130 --> 22:34.340 Yes. 22:34.340 --> 22:35.690 This belongs to my company. 22:35.690 --> 22:37.550 And R3 says I belong to this company. 22:37.550 --> 22:38.090 That's it. 22:39.790 --> 22:41.230 That is the only one reason. 22:41.890 --> 22:43.300 How is it scalable? 22:43.330 --> 22:45.310 Now you have 100 sites. 22:45.910 --> 22:47.560 They do not require a scale. 22:47.620 --> 22:51.190 Now all you need to do is first time go and register with the CA. 22:51.220 --> 22:52.660 Done forever. 22:55.000 --> 22:57.940 Whoever they create the tunnels with, they'll just present their ISIS. 22:57.970 --> 23:00.580 The only thing that should match is who signed you. 23:03.190 --> 23:03.780 Who signed this. 23:03.790 --> 23:04.030 I see. 23:04.060 --> 23:04.680 Who signed that? 23:04.690 --> 23:05.020 I see. 23:06.240 --> 23:09.480 If it's the same server that all of them are trusting, it's okay. 23:10.750 --> 23:12.610 They don't need anything else. 23:14.820 --> 23:15.120 Right. 23:16.230 --> 23:17.930 Let's go into more details of it. 23:21.490 --> 23:24.400 Now, the address that I'm going to be using is right here. 23:24.430 --> 23:25.690 I'm going to also. 23:26.810 --> 23:27.830 Given a host species. 23:34.580 --> 23:35.690 Connect it to the loopback. 23:49.410 --> 23:49.770 Sorry. 23:52.040 --> 23:52.340 Yeah. 23:53.870 --> 23:55.790 Yes, obviously a lot of money. 23:56.660 --> 23:57.070 Lot of money. 23:57.440 --> 23:58.340 It's expensive. 23:59.950 --> 24:02.350 To get an Https connection is expensive. 24:03.290 --> 24:06.230 Plus verifications and all that takes time. 24:08.720 --> 24:09.260 What? 24:16.250 --> 24:16.940 Hope it works. 24:17.330 --> 24:21.720 Now, what I'm going to do is I'm going to create the certificate here, right? 24:21.740 --> 24:24.070 The public key public and the private. 24:24.080 --> 24:25.790 I'm going to export it to the host. 24:26.270 --> 24:29.270 So I'll show it to you how it looks like on the PC. 24:31.120 --> 24:34.660 I'm going to create this guy into the PKI server and that's your job. 24:34.660 --> 24:36.730 That's how you are going to do it. 24:37.330 --> 24:39.690 Create a PKI server, right? 24:39.700 --> 24:45.250 And then trust everybody and then create ISIS after that. 24:47.090 --> 24:49.760 Before we move any further, let's just configure this. 25:00.090 --> 25:01.380 Which interface is this? 25:03.770 --> 25:04.520 F0 one. 25:07.620 --> 25:10.500 Interface f0 one IP addresses 192168. 25:10.530 --> 25:15.930 Let's say two dot 20 or 2 dot 25. 25:27.110 --> 25:28.760 That's what I was afraid of. 25:37.540 --> 25:38.410 Then mine it. 25:45.770 --> 25:46.790 Try the blue back. 26:59.090 --> 27:00.350 Go to the loopback. 27:19.800 --> 27:20.850 So I can read the loopback. 27:21.720 --> 27:22.830 I can read the host PC. 27:23.520 --> 27:24.390 We'll use it later. 27:24.440 --> 27:25.650 Just keep it here for now. 27:28.150 --> 27:28.330 This. 27:28.330 --> 27:29.650 Configure the rest of the stuff. 27:32.110 --> 27:32.470 Okay. 27:36.400 --> 27:36.650 Right. 27:36.670 --> 27:38.260 Let's check if everything is okay. 27:39.240 --> 27:41.520 R1 should be able to reach all of them. 27:43.250 --> 27:45.520 So let's go to our one thing. 27:45.530 --> 27:51.290 151 dot 20 4.4, which is the server can 23.3 is our three. 27:51.290 --> 27:54.140 I can 25.5 is the Http server. 27:54.380 --> 27:56.840 You might ask the question why do we need the Http server? 27:58.580 --> 28:02.650 Now why is right now the routers have what time? 28:04.130 --> 28:04.910 The clock time. 28:05.800 --> 28:06.340 The system. 28:06.340 --> 28:09.100 Time is there configured with when you when you bring them up. 28:09.100 --> 28:11.530 It's somewhere in 2000 to March 2002. 28:12.390 --> 28:17.570 When you create the certificate here, the certificates are usually valid for 3 to 5 years. 28:17.580 --> 28:20.890 Some are valid for three years, some are valid for five years. 28:20.910 --> 28:25.950 There is a huge possibility that when you create that certificate, the times are not synchronized. 28:26.190 --> 28:26.460 Right? 28:26.460 --> 28:32.610 This will be valid from 2002 to 2007 and your clients. 28:33.440 --> 28:36.410 Will already be at a different date or a different time. 28:36.410 --> 28:38.480 So it's recommended that all of them. 28:39.440 --> 28:41.660 Synchronize themselves with respect to what? 28:42.640 --> 28:42.790 The. 28:45.850 --> 28:46.090 Right. 28:46.180 --> 28:50.530 So all of them have the same time only because the certificates when they are issued. 28:51.290 --> 28:53.810 Right, so that it falls into the same time. 28:56.710 --> 29:00.340 You can you can you can configure the server as the Http server. 29:00.340 --> 29:04.960 But I'm talking about if we're talking about real life scenario, right, where you have a separate 29:05.020 --> 29:08.140 Http server, a separate PKI server, and then two different sites. 29:09.730 --> 29:09.960 Right. 29:10.140 --> 29:13.770 So what I'll do is I'll go to the Http server. 29:14.520 --> 29:18.120 I will obviously not use it, but just to show you how it works. 29:18.510 --> 29:20.430 Master to clock. 29:21.180 --> 29:22.620 Let's set. 29:23.390 --> 29:24.320 Right now is. 29:28.720 --> 29:29.440 16. 29:35.380 --> 29:36.660 And all the others. 29:36.670 --> 29:39.700 I'll point them to where NDB server is. 29:39.700 --> 29:41.320 151 .25.. 29:53.530 --> 29:57.410 Now we'll do the other stuff and let's see if it gets synchronized. 29:57.430 --> 29:58.210 It does take time. 29:58.210 --> 29:58.390 It's. 30:02.440 --> 30:03.690 Synchronized with itself. 30:03.700 --> 30:04.810 Let's check others. 30:05.620 --> 30:06.970 I'm sure that they're not. 30:07.870 --> 30:09.550 Oh, there it is. 30:12.420 --> 30:13.230 That's interesting. 30:23.850 --> 30:25.140 They all have the same time. 30:28.250 --> 30:28.490 Right. 30:29.060 --> 30:30.020 So that's fine. 30:30.770 --> 30:32.030 Clock synchronization is there. 30:32.750 --> 30:34.010 Now we go ahead. 30:34.010 --> 30:34.700 To whom? 30:34.700 --> 30:38.630 The PCI server and start configuring the real stuff. 30:38.660 --> 30:39.920 The actual stuff. 30:41.290 --> 30:45.220 The first thing that you need to make sure when you're doing a PCA server is what? 30:45.250 --> 30:46.150 What do you need? 30:48.670 --> 30:49.690 A set of keys. 30:51.020 --> 30:52.460 You need a set of keys, right? 30:52.490 --> 30:53.840 Just like before. 30:53.870 --> 30:55.070 You require a set of keys. 30:55.100 --> 30:58.220 Now, either you can create a domain name if you want to. 31:00.620 --> 31:02.480 Or you could just create keys. 31:04.240 --> 31:06.910 And label them so any one of the two will work. 31:07.880 --> 31:08.120 Right. 31:08.120 --> 31:10.280 So I can call it cats. 31:11.790 --> 31:13.920 Nonetheless, let's make it 10243. 31:16.760 --> 31:17.030 Done. 31:18.110 --> 31:19.130 I have the keys. 31:19.130 --> 31:19.340 Right. 31:19.340 --> 31:19.850 So. 31:21.980 --> 31:22.550 Can do it here. 31:23.570 --> 31:25.950 Step one is empty. 31:28.540 --> 31:29.620 Synchronization. 31:34.340 --> 31:35.330 Step two is what? 31:37.820 --> 31:42.140 Generate the set of RSA keys. 31:43.440 --> 31:43.830 Don't. 31:45.130 --> 31:47.050 Generate power. 31:49.410 --> 31:50.120 Modulus. 31:52.590 --> 31:53.220 024. 31:54.330 --> 31:55.410 Doesn't label them. 31:57.880 --> 32:00.640 If you're not if you don't have a domain name, then you need to. 32:01.480 --> 32:04.900 Otherwise the domain name will automatically give it to. 32:06.210 --> 32:06.670 And a. 32:11.840 --> 32:16.520 Suitable means you are taking keys from here and making some other guy the server using the same keys. 32:17.030 --> 32:17.930 Don't have to do that. 32:18.380 --> 32:20.200 You only have one CSF, right? 32:22.130 --> 32:27.290 The other thing that you need to make sure that you do is IP http server. 32:28.550 --> 32:30.020 A lot of people forget this. 32:32.320 --> 32:34.120 Right, Because it's a very simple stuff. 32:34.120 --> 32:34.410 Stuff. 32:34.510 --> 32:35.050 Stuff. 32:35.890 --> 32:36.850 Why do you need it? 32:37.120 --> 32:42.160 Because all the certificate requests will be coming on port number 80. 32:43.390 --> 32:44.890 All your certificate requests. 32:45.620 --> 32:51.020 For enrollment use a protocol called Sep Simple Certificate Enrollment Protocol. 32:51.770 --> 32:55.360 Which the packets will come on TCP port number 80. 32:55.370 --> 32:57.590 So you need to open that port number here. 32:58.100 --> 32:58.620 On this. 33:00.280 --> 33:03.640 If you don't do it, your certificate server will not come up. 33:07.190 --> 33:08.520 Will not come up. 33:10.870 --> 33:11.200 Okay. 33:11.200 --> 33:13.660 Make sure you do that then. 33:14.560 --> 33:17.290 The PKI server. 33:17.440 --> 33:19.120 Call it anything that you want. 33:20.010 --> 33:23.400 Just a name here has no significance whatsoever. 33:24.060 --> 33:24.960 I'll give it a. 33:29.230 --> 33:30.110 Third step was what? 33:31.480 --> 33:32.110 Enable. 33:34.170 --> 33:35.470 Http services. 33:36.590 --> 33:37.220 On the. 33:47.440 --> 33:47.650 Right. 33:47.980 --> 33:49.390 So you need to name it anything. 33:49.390 --> 33:49.600 Right? 33:49.600 --> 33:50.560 This is up to you. 33:50.560 --> 33:52.690 You can name it whatever you want. 33:53.560 --> 33:54.160 The quality. 33:54.400 --> 33:55.300 Today is Tuesday, right? 33:58.160 --> 33:58.430 Right. 33:58.670 --> 34:00.380 Then you have certain commands. 34:02.870 --> 34:07.420 The first thing that you always use is database URL. 34:07.430 --> 34:09.650 Where do you want to save these certificates? 34:11.910 --> 34:16.830 The certificate that you generate the public key where you want to store it, I'll say store it in. 34:18.770 --> 34:20.470 So in the certificate I see. 34:20.480 --> 34:21.300 Will be generated. 34:21.320 --> 34:22.100 It'll be stored where? 34:22.220 --> 34:23.000 In the flash. 34:23.000 --> 34:27.800 So I can remove it from flash and then install it wherever I want to install it. 34:28.460 --> 34:29.690 Export it basically. 34:30.730 --> 34:33.130 The public part will be stored private. 34:33.160 --> 34:34.240 You won't see the private. 34:36.490 --> 34:40.030 When this key pair is generated, you won't see the private part. 34:40.270 --> 34:41.920 You'll see the public certificate. 34:41.920 --> 34:43.960 You can remove it and place it anywhere else. 34:44.140 --> 34:46.660 You could also change the format if you wanted to. 34:46.660 --> 34:48.010 I'll leave it as the default. 34:48.730 --> 34:49.870 What else do I have? 34:50.230 --> 34:51.360 I've done this. 34:51.370 --> 34:52.300 I need to do. 34:52.300 --> 34:52.840 Grant. 34:54.460 --> 34:55.660 I need to say Grant. 34:56.700 --> 34:58.260 Now there's two ways of granting it. 34:59.430 --> 35:02.580 One is none means do not grant any certificates. 35:02.610 --> 35:04.220 The other one is Manuel. 35:04.230 --> 35:05.310 I'll show you how, Manuel. 35:05.460 --> 35:05.970 Manually. 35:05.970 --> 35:06.690 You can do it. 35:06.720 --> 35:07.640 Now what is Grant? 35:07.650 --> 35:11.280 Manuel is when the guy comes in, right? 35:11.280 --> 35:13.260 When R1 comes and registers itself. 35:13.290 --> 35:15.090 Do I just grant him the certificate? 35:16.270 --> 35:17.320 I don't do that. 35:17.860 --> 35:19.000 I keep it in a cube. 35:20.430 --> 35:21.870 It will stay in a queue, right? 35:21.900 --> 35:27.630 Because when he comes, his public key will come in and stay in a queue and then he'll have to present 35:27.630 --> 35:30.300 his documents and do everything and then I can accept it. 35:31.200 --> 35:32.180 On the Microsoft server. 35:32.190 --> 35:33.150 That's how you do it. 35:33.180 --> 35:37.070 On this router, you cannot do it because it doesn't work properly. 35:37.080 --> 35:37.920 It gets stuck. 35:37.950 --> 35:40.170 You have to restart the certificate services. 35:40.200 --> 35:41.160 Then it works. 35:41.800 --> 35:43.750 So the best way to do it here is what. 35:44.860 --> 35:46.990 Grant Auto, whoever comes registers. 35:47.020 --> 35:49.570 Give him certificate automatically. 35:49.610 --> 35:50.530 It's good. 35:50.560 --> 35:53.800 In our case, because we know that all the routers are ours. 35:53.800 --> 35:55.160 And this is our server. 35:56.600 --> 35:58.670 I'm not going to grant it to anybody else. 35:58.700 --> 36:01.400 Once everybody is granted, I'll shut down the granting. 36:01.400 --> 36:02.000 I'll say Grant. 36:02.030 --> 36:02.300 None. 36:02.330 --> 36:03.230 After that. 36:04.810 --> 36:06.400 Whenever I need it, I'll turn it on. 36:06.400 --> 36:08.110 Whenever I don't need it, I'll just turn it off. 36:08.530 --> 36:13.740 Making sure that only the people, only the routers which are connected are registered to. 36:15.880 --> 36:18.580 Okay, Grand Auto. 36:18.640 --> 36:20.350 You can choose the algorithm. 36:21.780 --> 36:24.270 That you wish to use in the certificate? 36:24.300 --> 36:26.010 Not really important in our case. 36:26.010 --> 36:26.190 Why? 36:26.220 --> 36:27.900 Because we are using it only for. 36:28.790 --> 36:30.920 I see only for identification. 36:30.920 --> 36:34.850 So we don't really need an hashing mechanism. 36:34.850 --> 36:36.140 This is important. 36:36.170 --> 36:37.370 This is everything. 36:41.580 --> 36:42.120 It's showing me. 36:43.350 --> 36:44.040 Now. 36:44.280 --> 36:51.810 Have you ever heard about the x509 way of writing the issuer name and everything? 36:52.110 --> 36:53.280 You might have seen it. 36:54.070 --> 36:54.940 It's a standard. 36:57.870 --> 37:03.390 If you open any certificate out there, you'll see it follows a standard. 37:03.720 --> 37:04.830 This is the standard. 37:06.450 --> 37:10.530 CN You have to write CN in certificate name. 37:11.490 --> 37:14.510 OU is called organizational unit. 37:14.530 --> 37:15.900 Organizational unit. 37:16.050 --> 37:17.520 O is your organization. 37:17.550 --> 37:18.690 C is your country. 37:20.200 --> 37:21.900 That's our sign. 37:21.910 --> 37:25.420 The certificate, the car, the name of the car is mentioned like that. 37:25.430 --> 37:26.100 CN. 37:27.650 --> 37:28.670 Right then. 37:28.700 --> 37:30.350 Oh, you organizational unit. 37:30.350 --> 37:31.970 This is VeriSign, Class three. 37:32.390 --> 37:33.560 Ooh, is VeriSign. 37:33.590 --> 37:36.860 Trust Network Organization is VeriSign, Inc. 37:37.100 --> 37:39.740 And country is the same way. 37:39.740 --> 37:41.690 When you have to write it, you write it the same way. 37:41.720 --> 37:43.400 Is your name is CN. 37:44.870 --> 37:45.680 I'll call it. 37:46.970 --> 37:48.800 But were assigned something for us. 37:49.490 --> 37:52.670 Something with respect to our car. 37:52.970 --> 37:54.050 Say, for example, my car. 37:54.080 --> 37:54.470 Right. 37:54.500 --> 37:55.610 So I could say. 37:56.630 --> 37:56.930 Give me a. 37:59.890 --> 38:00.580 This is anything. 38:00.580 --> 38:01.330 This is just a name. 38:02.280 --> 38:05.060 This is just the name of a company, any company that you want. 38:08.810 --> 38:09.860 Brown bears. 38:10.870 --> 38:12.330 Dot Brown bears. 38:12.340 --> 38:12.730 That's it. 38:13.450 --> 38:15.670 Organizational unit is, let's say. 38:16.280 --> 38:18.470 Training organization. 38:19.060 --> 38:19.890 Is it? 38:20.680 --> 38:23.020 Country is a UAE. 38:25.540 --> 38:27.910 The certificate server resides in UAE. 38:29.320 --> 38:31.140 And this is the organizational unit. 38:31.150 --> 38:35.020 This is the name of the company Brown Bears and organization, is it? 38:35.050 --> 38:35.470 That's it. 38:35.470 --> 38:40.420 Just to see this latest so we can verify that this is the certificate that we created. 38:40.540 --> 38:43.780 Remember this because this is how you will identify your certificate. 38:46.170 --> 38:46.650 Okay. 38:46.860 --> 38:49.110 And the last thing that you have to do is. 38:51.080 --> 38:52.460 By default, it's shut. 38:53.440 --> 38:54.190 You need to. 38:54.860 --> 38:55.060 No. 38:55.820 --> 38:57.500 Also lifetime. 38:59.550 --> 39:00.060 Lifetime. 39:00.060 --> 39:00.870 There's two lifetimes. 39:00.870 --> 39:02.430 You have lifetime of a certificate. 39:02.430 --> 39:03.990 Lifetime of a CA certificate. 39:06.020 --> 39:06.890 What do they mean? 39:08.680 --> 39:10.150 What is the difference between the two? 39:10.180 --> 39:13.360 When I grant certificates to whoever is coming to me. 39:14.360 --> 39:17.870 How how often how long is it going to be valid for? 39:18.770 --> 39:22.400 That is certificate C, A certificate is my public key. 39:22.430 --> 39:24.200 How long is that going to be valid? 39:26.510 --> 39:28.790 My default is five years and three years. 39:28.790 --> 39:34.400 You can change it to one year or two years depending upon your own self. 39:34.430 --> 39:35.300 Now this. 39:35.300 --> 39:37.220 The certificate is not up to you. 39:38.630 --> 39:41.450 When you become a CA, you also get it from someone else, right? 39:41.450 --> 39:43.730 You go to an authority and sign your papers. 39:43.730 --> 39:48.620 You want to be a CA so they will let you know how much is the lifetime of your root certificate? 39:51.830 --> 39:58.610 Somebody is about about the public, you will be the same for five years. 40:00.460 --> 40:01.830 And we said. 40:03.570 --> 40:06.000 Private key will always be with the certificate server. 40:07.400 --> 40:09.020 Cannot see last time. 40:09.020 --> 40:09.380 Remember? 40:09.380 --> 40:12.290 How long did it take for to break that this is the same encryption. 40:13.460 --> 40:20.300 What I showed you the video where to break that encryption billions and billions of years to break this 40:20.330 --> 40:20.510 key. 40:20.540 --> 40:21.530 This is the same key. 40:22.470 --> 40:23.340 The same public key. 40:23.460 --> 40:25.260 That was the video that I was talking about. 40:25.290 --> 40:29.460 They wanted you to come and that was the ad they wanted to come and register with them because their 40:29.460 --> 40:30.460 key is not breakable. 40:32.830 --> 40:32.980 Right. 40:33.070 --> 40:35.950 They wanted choice of where they wanted to. 40:35.960 --> 40:37.900 You choose them instead of Versailles. 40:38.260 --> 40:40.120 This marketing going on there too. 40:42.070 --> 40:42.430 Same. 40:43.560 --> 40:45.120 Yeah, the algorithms are the same. 40:45.120 --> 40:46.080 No, this is RSA. 40:46.830 --> 40:48.780 These are public and private keys. 40:49.110 --> 40:50.100 A set of keys. 40:51.580 --> 40:55.840 Then asked the Shah and all of those things, those are used later. 40:57.440 --> 40:58.960 Here is triple des. 40:58.970 --> 41:05.150 Those will be used by your which your SSL VPN for encryption and decryption here. 41:05.150 --> 41:09.260 I'm not using any encryption decryption here, I'm just using this for identity. 41:15.890 --> 41:16.550 They will not. 41:16.670 --> 41:20.380 They will not in the next update. 41:20.840 --> 41:23.420 And the next update, they will update themselves. 41:23.540 --> 41:26.410 Usually what they would do is they would use the same public key next time also. 41:28.600 --> 41:31.000 The case, they'll use the same public key. 41:31.330 --> 41:36.670 But even if they have to change it, the next update of the browser will have that information. 41:39.040 --> 41:39.370 Yeah. 41:40.570 --> 41:42.850 Length of RSA depending upon how you choose it. 41:42.850 --> 41:44.680 Right now, I chose it as 102 for. 41:44.980 --> 41:49.150 The public is right now the ones which you are getting are not less than 2048. 41:50.940 --> 41:51.770 Zero for it usually. 41:53.220 --> 41:53.370 Right. 41:53.550 --> 41:55.260 So no need this for now. 41:55.260 --> 41:56.310 I'll just say no. 41:57.450 --> 41:59.460 Shut the moment you say no. 41:59.700 --> 42:00.990 I'll ask you for a password. 42:01.020 --> 42:03.600 This password is used to locally. 42:03.630 --> 42:06.030 Locally only encrypt your private key. 42:07.950 --> 42:08.520 Locally. 42:10.710 --> 42:11.070 Right. 42:12.420 --> 42:19.590 Locally encrypt the private so that if someone even opens your, you know, flash or wherever it's stored 42:19.590 --> 42:26.130 and he cannot see what's there, it's encrypted already to see that you have to enter the private key. 42:26.400 --> 42:27.010 Yeah. 42:28.900 --> 42:32.260 You'll be prompted whenever you install this anywhere. 42:32.290 --> 42:34.390 Now you'll be prompted for a password. 42:35.620 --> 42:38.830 You install it on a browser, you install it anywhere you need. 42:38.830 --> 42:41.320 That certificate server has been enabled. 42:41.320 --> 42:43.300 If I check my flash, what will I find? 42:47.940 --> 42:48.840 Not even to. 42:53.090 --> 42:53.570 They need to. 42:54.380 --> 42:56.270 What is this in the flash? 42:56.530 --> 42:57.800 Remember database URL? 42:57.830 --> 42:58.940 I kept it as flash. 42:58.970 --> 42:59.780 What does that mean? 43:00.140 --> 43:04.240 Save the public key in the flash so I can export it from there. 43:04.250 --> 43:07.250 Before I do that, let me write down the command so we are on track. 43:07.520 --> 43:08.540 I said crypto. 43:09.410 --> 43:11.120 Bcci server. 43:11.480 --> 43:12.590 What do you call it? 43:14.630 --> 43:17.120 Then I said database. 43:18.610 --> 43:20.400 URL should be flash. 43:20.410 --> 43:21.580 Save it in flash. 43:22.540 --> 43:23.230 Grant. 43:26.480 --> 43:28.190 Issuer name was the important part. 43:30.100 --> 43:30.400 I said. 43:32.020 --> 43:32.920 Is. 43:34.000 --> 43:35.050 Brown bears. 43:36.670 --> 43:38.410 For you is. 43:40.190 --> 43:41.480 Or is it? 43:42.270 --> 43:43.110 She is. 43:45.730 --> 43:46.840 And then I said no. 43:48.520 --> 43:51.180 You can also specify hashing mechanism lifetime. 43:51.190 --> 43:52.030 Those are. 43:52.060 --> 43:53.020 That's up to you. 43:54.210 --> 43:55.980 Okay, let's copy this. 43:56.340 --> 43:58.890 First of all, let me see if my FTP server is. 44:03.470 --> 44:03.920 Started. 44:05.150 --> 44:06.940 Copy from Flash. 44:08.100 --> 44:09.330 Do the FTP server. 44:10.440 --> 44:11.340 Source file name. 44:15.470 --> 44:16.820 Then when you do. 44:18.590 --> 44:19.220 25. 44:20.270 --> 44:21.620 Destination file name the same. 44:38.340 --> 44:39.220 Need to bind it to the. 45:05.130 --> 45:05.910 I don't have enough. 45:06.840 --> 45:07.610 What is he talking about? 45:27.600 --> 45:28.260 Now another one. 46:34.770 --> 46:35.910 Your strip is not working. 46:53.040 --> 46:53.730 Was already copied. 46:55.320 --> 46:58.290 So if we go right now to the E drive. 46:58.890 --> 46:59.880 You should see. 47:01.230 --> 47:01.650 Dot. 47:06.760 --> 47:07.810 Take it to the rest stop. 47:09.200 --> 47:12.740 Double click on It says, Do you want to import it or not? 47:13.340 --> 47:14.690 Don't do it from here. 47:15.080 --> 47:17.270 You import it from your SSL. 47:19.250 --> 47:23.090 In the route authorities you click on import. 47:24.700 --> 47:25.450 File name. 47:31.770 --> 47:32.640 All types. 47:36.240 --> 47:36.600 Thank you. 47:39.210 --> 47:40.170 Click on next. 47:40.200 --> 47:41.400 What is the password? 47:41.430 --> 47:43.140 Remember the password for the private key? 47:43.830 --> 47:44.030 Cisco. 47:44.070 --> 47:44.790 One, two, three. 47:45.750 --> 47:46.050 Led. 47:46.050 --> 47:47.400 Next place it. 47:47.400 --> 47:48.540 Yes, please. 47:48.750 --> 47:50.310 And click on finish. 47:50.550 --> 47:51.390 Check out this message. 47:51.390 --> 47:52.380 This is very important. 47:52.590 --> 48:01.260 It says Brown bears with organizational unit of training, organization of T and C of UAE is trying 48:01.260 --> 48:03.450 to install its root certificate. 48:03.480 --> 48:06.600 Windows cannot validate that this is actually from brown bears. 48:07.380 --> 48:07.630 Right. 48:07.650 --> 48:13.200 You should confirm its origin by contacting brown bears wherever this is, the following number will 48:13.200 --> 48:13.860 assist you. 48:14.580 --> 48:15.990 This is the thumbprint. 48:17.240 --> 48:19.370 Thumbprint off this certificate. 48:19.370 --> 48:20.480 So you go to them. 48:20.510 --> 48:21.950 Tell them this is the thumbprint. 48:22.190 --> 48:24.080 Tell me, what is this guy? 48:24.290 --> 48:25.750 Which certificate is this? 48:25.760 --> 48:27.380 So he'll give you more information about. 48:28.370 --> 48:28.960 It's a shop. 48:30.140 --> 48:31.730 It's a hash value of the certificate. 48:32.950 --> 48:34.570 Right now it's using shower one, right? 48:34.570 --> 48:35.320 We didn't change it. 48:35.710 --> 48:36.760 We kept it as shower. 48:37.840 --> 48:39.460 This is the one thing which is important. 48:39.670 --> 48:47.110 If you install this, windows will automatically trust any certificate that has been issued by this. 48:48.820 --> 48:51.250 Anything that the CIA will issue from now on. 48:52.240 --> 48:53.590 Windows will trust it. 48:53.590 --> 48:54.190 Right. 48:54.190 --> 48:56.320 Installing a certificate with unconfirmed. 48:56.320 --> 48:57.130 Unconfirmed. 48:57.160 --> 48:58.990 Thumbprint is a security risk. 48:59.170 --> 49:00.190 Please click Yes. 49:00.190 --> 49:01.690 Only if you acknowledge this risk. 49:02.970 --> 49:03.450 I'll say. 49:04.890 --> 49:05.280 Yes. 49:06.530 --> 49:06.760 Right. 49:06.920 --> 49:08.420 The import was successful. 49:08.450 --> 49:09.830 You should see it. 49:12.930 --> 49:14.850 Somewhere right here. 49:18.430 --> 49:20.890 Valid from 2015 to 2018. 49:22.120 --> 49:23.050 Details. 49:25.280 --> 49:28.470 Brown bears training everything the same. 49:28.490 --> 49:30.800 Your public key is right here. 49:31.350 --> 49:32.510 1024 bits. 49:36.090 --> 49:38.910 Your kid, Your subject id everything. 49:42.600 --> 49:43.100 They can. 49:46.300 --> 49:46.520 Right. 49:47.290 --> 49:47.920 I created it. 49:47.920 --> 49:48.430 From where? 49:48.700 --> 49:49.840 From the router. 49:50.680 --> 49:52.090 And not much was done. 49:52.300 --> 49:55.870 Only these few commands that I said save it in flash. 49:55.870 --> 49:57.100 And this is the issuer name. 49:57.100 --> 49:57.680 That's it. 49:57.700 --> 49:59.260 Everything else is by default. 50:00.710 --> 50:03.290 The important part is this is the public key, remember? 50:03.890 --> 50:05.990 And now your browser trusts it. 50:07.780 --> 50:10.270 Now your browser trusts this publicly. 50:10.270 --> 50:12.280 That means anything issued. 50:13.920 --> 50:15.570 By this server. 50:15.570 --> 50:20.100 So now if HDFC Bank comes and registers even to the server. 50:21.510 --> 50:24.330 And then he comes to you creating the connection, you will accept it. 50:25.870 --> 50:27.040 The AC will be accepted. 50:28.580 --> 50:29.580 Any questions? 50:29.600 --> 50:30.650 Any confusion? 50:36.870 --> 50:37.070 Yeah. 50:39.860 --> 50:40.500 FTP is here. 50:40.500 --> 50:42.180 I just copied from here to the host. 50:43.670 --> 50:44.690 Then I put the certificate. 50:47.290 --> 50:48.130 Any questions? 50:50.600 --> 50:51.040 Before. 50:51.050 --> 50:52.220 Before I move further. 50:57.300 --> 50:57.570 Clear. 50:58.830 --> 50:59.250 Everybody. 51:00.670 --> 51:01.570 Can I take a break? 51:12.100 --> 51:12.400 Yeah. 51:14.480 --> 51:22.090 The bill signed is right now, the R1 and R3 will now become the clients of the Cape. 51:24.470 --> 51:25.760 Right now, the server is up. 51:25.760 --> 51:26.570 That means. 51:28.220 --> 51:28.670 No, no. 51:28.670 --> 51:32.060 See, what I've done right now is I've created the server. 51:32.360 --> 51:34.310 Now it has a private key. 51:37.070 --> 51:37.890 And the public key. 51:37.910 --> 51:39.740 The public key will give out to everybody. 51:44.880 --> 51:45.270 Right now. 51:45.270 --> 51:46.500 It has also given the public key. 51:46.500 --> 51:46.850 To whom? 51:50.940 --> 51:51.870 For the P.C.C. 51:52.830 --> 51:55.050 The Kacprzyk is now. 51:55.050 --> 51:57.000 The clients have not registered themselves yet. 51:57.840 --> 51:58.440 Now what? 51:58.440 --> 51:58.980 The clients. 51:58.980 --> 52:01.500 My next objective will be this client. 52:02.260 --> 52:06.080 We'll go and register yourself to the server and get an ice. 52:08.030 --> 52:12.590 That I see will be signed by what this private will be signed. 52:13.860 --> 52:18.270 And this guy will go up get an icy signed by what, same private. 52:19.660 --> 52:21.870 So when they exchange, they're exchanging this. 52:21.880 --> 52:22.370 I see. 52:22.600 --> 52:25.990 Say, I see one and I see two and I see one goes to three. 52:26.380 --> 52:29.150 It will verify it only because it has the public key of this year. 52:30.710 --> 52:35.420 Similarly, when Ic2 goes to R1, it will verify it because it has the. 52:39.350 --> 52:40.460 He's able to open it. 52:40.640 --> 52:42.630 Open It means he can verify. 52:43.570 --> 52:44.740 Verified right now. 52:44.740 --> 52:48.070 The second objective after the break, what we are going to do is. 52:49.070 --> 52:49.430 Right now. 52:49.430 --> 52:51.020 The public key is in the flash here. 52:51.020 --> 52:51.470 Right. 52:51.830 --> 52:53.810 I need to give the public key to this guy. 52:55.810 --> 52:56.300 And the. 52:57.870 --> 53:00.960 This public key should be exported to these two people. 53:02.420 --> 53:04.400 Right now only exported it to the host. 53:04.730 --> 53:05.960 I also need to give it to. 53:06.230 --> 53:07.340 This is known as trust. 53:07.370 --> 53:08.060 Trusting the. 53:09.730 --> 53:10.060 We will. 53:12.100 --> 53:12.640 Copy paste. 53:12.670 --> 53:13.270 No, that was. 53:13.270 --> 53:14.050 That was different. 53:14.110 --> 53:14.950 He can't do it here. 53:15.310 --> 53:18.430 If you do copy paste, you're copying pasting the whole private and public. 53:21.950 --> 53:22.250 No. 53:22.750 --> 53:25.190 That you copy or paste the whole thing. 53:25.970 --> 53:28.910 And it has to store it in a specific location. 53:29.120 --> 53:34.100 That one is not stored where you want it to be stored with the cut and copy. 53:34.310 --> 53:36.470 That would mean you're creating an exportable. 53:37.700 --> 53:38.780 It's not feasible. 53:41.580 --> 53:42.570 Distance imaging. 53:44.410 --> 53:45.790 This is a digital signature. 53:46.090 --> 53:47.680 This is exactly what it is. 53:50.250 --> 53:50.930 They come with you? 53:52.530 --> 53:54.000 The same exact same concept. 53:54.930 --> 53:57.870 You go to a car, he signs your signature. 53:57.870 --> 54:04.110 So whenever you present that signature to anybody else, he will only validate it if it is a trusted 54:04.110 --> 54:04.830 guy who signed you. 54:06.630 --> 54:09.440 So a sign or all those people they will sign, right? 54:09.460 --> 54:11.440 So they'll sign your digital signature. 54:11.440 --> 54:16.180 So tomorrow when you show someone your signature because they already trust their sign, they'll trust 54:16.180 --> 54:16.540 you. 54:18.940 --> 54:21.450 Going to open that channel. 54:25.780 --> 54:26.140 The sea. 54:26.260 --> 54:28.540 Names information will be signed by. 54:29.170 --> 54:30.260 No, not everything. 54:30.280 --> 54:30.640 Not. 54:30.640 --> 54:31.180 Not everything. 54:31.280 --> 54:38.590 Apart from everything else will be not not everything else, but a big portion of it will be signed 54:38.590 --> 54:39.990 by will be signed by the private. 54:40.420 --> 54:41.530 A very big portion of it. 54:43.010 --> 54:43.310 Right. 54:45.780 --> 54:45.960 As. 54:47.400 --> 54:48.600 So what is the next thing? 54:50.610 --> 54:51.930 Resistor themselves. 54:52.020 --> 54:52.860 Trust the CIA. 54:52.890 --> 54:53.520 That's it. 54:53.760 --> 55:01.650 The first criteria for the for the clients is that they should be able to reach the CIA, which they 55:01.650 --> 55:02.160 can. 55:03.090 --> 55:03.990 They can reach this here. 55:04.770 --> 55:08.310 Right now, what I want to do is enroll. 55:09.380 --> 55:10.010 There's two things. 55:10.280 --> 55:11.630 One is authenticate. 55:11.720 --> 55:13.160 The other is called enroll. 55:13.670 --> 55:16.070 Authenticate means trust. 55:16.340 --> 55:17.630 What does trust mean? 55:20.170 --> 55:21.220 To get the certificate. 55:22.000 --> 55:22.960 The public certificate. 55:24.750 --> 55:25.070 Right. 55:25.100 --> 55:25.730 Let's do that. 55:25.730 --> 55:26.750 How Crypto. 55:26.750 --> 55:27.770 Now you can do it two ways. 55:27.770 --> 55:32.030 Either you can do it based on crypto or you can just use crypto. 55:32.480 --> 55:35.060 It depends on it does not make a difference. 55:35.060 --> 55:35.810 Both are the same. 55:36.620 --> 55:42.220 You can either say crypto trust point or you can say crypto trust point. 55:42.230 --> 55:43.520 Both mean the same thing. 55:44.420 --> 55:46.100 Then you specify the name. 55:46.490 --> 55:49.820 Again, this is local, so I'll say read. 55:52.340 --> 55:55.610 Enrollment URL http. 55:56.090 --> 55:58.070 Now see what I'm doing. 56:03.590 --> 56:05.180 For the certificate request. 56:05.210 --> 56:07.640 Go to which address? 56:09.040 --> 56:10.150 At which port number? 56:11.570 --> 56:13.190 So you go and register itself. 56:13.220 --> 56:15.560 There's also one more thing that I have to show you. 56:15.980 --> 56:16.790 It's called. 56:20.290 --> 56:21.270 Revocation check. 56:21.270 --> 56:22.710 What is a revocation check? 56:27.260 --> 56:29.120 Is it valid right now or not? 56:29.780 --> 56:33.170 See, sometimes what can happen is you go you have a company, right? 56:33.380 --> 56:35.930 It goes and registers itself and creates a public key. 56:36.680 --> 56:43.490 Once it has that public key, right after that, what happens is, say the company shuts down. 56:44.610 --> 56:47.340 But that public key is installed everywhere in the world. 56:48.600 --> 56:50.190 That means anyone can. 56:51.350 --> 56:52.280 Can imitate them. 56:53.510 --> 56:53.840 Right. 56:53.840 --> 56:58.910 So at that time, what what you do is you go to the server and you tell them, listen, revoke this 56:58.910 --> 57:00.140 certificate, please. 57:01.220 --> 57:03.800 My company has been shut down, revoked this certificate. 57:03.830 --> 57:07.930 Whenever that certificate is supposed to be used anywhere, a revocation check is done. 57:07.940 --> 57:12.170 That means the guy will ask the CA is this valid right now or not? 57:13.660 --> 57:15.100 Have you revoked it or not? 57:15.550 --> 57:17.290 That's called revocation check. 57:17.320 --> 57:22.360 In our case, it's not available with the router as a CA, so I'll just say revocation check should 57:22.360 --> 57:23.140 not be done. 57:26.290 --> 57:28.770 Revocation should not be done. 57:28.780 --> 57:29.650 Another thing. 57:30.770 --> 57:33.770 Now, this is all that you need in the beginning to trust it. 57:33.890 --> 57:34.670 Crypto. 57:35.850 --> 57:38.850 We call it CA authenticate. 57:38.880 --> 57:39.720 What was the name? 57:39.830 --> 57:40.110 W. 57:44.170 --> 57:44.690 Check it out. 57:44.710 --> 57:45.520 Three commands only. 57:45.520 --> 57:46.570 I went to the client. 57:49.190 --> 57:49.970 I said. 57:51.400 --> 57:51.910 Crypto. 57:54.350 --> 57:55.340 Press point. 57:56.120 --> 57:57.500 Call it just a name. 57:59.890 --> 58:04.840 Then I said, enrollment will go and you go and enroll yourself to the URL of Http. 58:07.770 --> 58:11.040 151 dot 20 4.4. 58:11.090 --> 58:14.160 Add port number and set revocation. 58:15.160 --> 58:15.820 Check. 58:17.310 --> 58:21.450 Then we use the command crypto key to authenticate. 58:25.020 --> 58:31.030 W.E.B. Authenticate means install the public certificate of this guy. 58:31.060 --> 58:33.430 Go and ask him for the public certificate. 58:35.460 --> 58:37.200 That's the message that you see here. 58:37.200 --> 58:38.820 It's giving you that thumbprint. 58:38.830 --> 58:42.250 Remember, the thumbprint is telling you this is the thumbprint. 58:42.270 --> 58:44.250 Do you really want to accept it or not? 58:45.490 --> 58:47.490 If I accept it, that means I'm trusting him. 58:50.980 --> 58:52.300 Should see the certificate now. 58:52.300 --> 58:55.570 Show crypto CA certificates. 59:01.050 --> 59:04.440 This is the public key, not the public key. 59:04.470 --> 59:05.400 The see. 59:07.200 --> 59:11.370 The issue of whom the CIA installed on you. 59:11.400 --> 59:12.540 Now you trust him. 59:12.900 --> 59:16.560 Any certificate assigned by this guy will be trusted by you. 59:17.130 --> 59:18.180 Makes it tough to keep up. 59:18.840 --> 59:20.220 The public is. 59:53.650 --> 59:55.380 It's stored in the nvram. 59:59.610 --> 1:00:00.900 This is the full certificate. 1:00:02.890 --> 1:00:04.340 It doesn't display the public key. 1:00:04.360 --> 1:00:07.000 I guess there is an RSA public key. 1:00:07.300 --> 1:00:08.500 1024 bit. 1:00:08.890 --> 1:00:09.550 Right. 1:00:09.600 --> 1:00:10.880 Doesn't display the full key. 1:00:10.900 --> 1:00:11.890 It's stored somewhere. 1:00:11.890 --> 1:00:13.780 Somewhere hidden somewhere. 1:00:16.240 --> 1:00:16.480 Right. 1:00:16.480 --> 1:00:19.540 This is the full key, the full signature that you see on that side. 1:00:21.140 --> 1:00:21.440 Right. 1:00:21.920 --> 1:00:24.310 I have only what trusted the guy. 1:00:24.320 --> 1:00:25.730 I also need to do What? 1:00:28.120 --> 1:00:28.360 First. 1:00:28.360 --> 1:00:29.320 I trust both of them. 1:00:29.350 --> 1:00:30.640 Let's trust both sides. 1:00:30.880 --> 1:00:31.950 I have R1 and R3. 1:00:31.960 --> 1:00:33.640 I'll do the same thing on R3 crypto. 1:00:33.670 --> 1:00:36.070 I'll here use PKI trust coin. 1:00:36.100 --> 1:00:39.430 So I'll show you the difference with enrollment. 1:00:39.730 --> 1:00:40.720 Is what same? 1:00:41.560 --> 1:00:42.490 The address is the same. 1:00:42.490 --> 1:00:42.940 Right? 1:00:43.450 --> 1:00:49.270 151 dot 20 4.4 Number revocation check is. 1:00:52.180 --> 1:00:53.620 There is a crypto here. 1:00:53.620 --> 1:00:56.680 It's free trust point authenticate. 1:00:57.440 --> 1:00:58.740 Sorry, big guy. 1:00:58.850 --> 1:00:59.710 Authenticate. 1:01:02.060 --> 1:01:02.630 Here we go. 1:01:03.670 --> 1:01:03.970 Please. 1:01:03.970 --> 1:01:04.210 Yes. 1:01:04.240 --> 1:01:06.520 Get the certificate Trust point Certificate. 1:01:06.520 --> 1:01:07.240 Accept it. 1:01:07.270 --> 1:01:07.660 Now. 1:01:07.660 --> 1:01:08.710 Both of these. 1:01:13.820 --> 1:01:16.370 Both R1 and R3 are worth trusting. 1:01:16.370 --> 1:01:16.720 Whom? 1:01:18.210 --> 1:01:19.050 The server. 1:01:19.050 --> 1:01:23.700 So any certificate issued by the PCA server will be trusted by them also. 1:01:27.150 --> 1:01:27.450 Now. 1:01:27.450 --> 1:01:28.830 I'll go and register myself. 1:01:29.530 --> 1:01:30.070 How? 1:01:31.830 --> 1:01:33.420 I'll create a set of keys here. 1:01:33.450 --> 1:01:35.670 Then I'll take the public part of that key. 1:01:36.420 --> 1:01:37.110 Get it signed. 1:01:38.070 --> 1:01:39.180 Same thing from this side. 1:01:39.180 --> 1:01:40.320 I'll create a set of keys. 1:01:40.350 --> 1:01:42.390 Get the public part of that key sign. 1:01:44.260 --> 1:01:44.470 By. 1:01:46.620 --> 1:01:47.480 I commend all the. 1:01:49.600 --> 1:01:50.780 Authenticate is a macro. 1:01:50.800 --> 1:01:51.580 It's not a command. 1:01:51.940 --> 1:01:55.330 Macro means it's just entered there and it's executed on spot. 1:01:55.690 --> 1:01:57.010 It means I'm directing. 1:01:57.010 --> 1:02:00.490 I'm telling him to go and get the certificate from the. 1:02:03.410 --> 1:02:04.700 It doesn't say in the running config. 1:02:06.090 --> 1:02:09.400 This command doesn't say it's just like show run or show commands. 1:02:09.420 --> 1:02:12.750 You execute it once it gets executed and then it's lost. 1:02:13.140 --> 1:02:14.010 You call it a macro. 1:02:15.330 --> 1:02:15.730 Right. 1:02:15.750 --> 1:02:19.650 So the first step would be to create that set of keys. 1:02:19.680 --> 1:02:24.030 Now, it doesn't have to be large because it's just used for authentication. 1:02:24.030 --> 1:02:28.080 So I'll just say generate RSA modulus, I'll keep it as five one, two. 1:02:28.530 --> 1:02:30.930 I'll label them, I'll call them key. 1:02:32.430 --> 1:02:33.300 Small keys. 1:02:34.680 --> 1:02:36.510 Then I'll go back to my trust point. 1:02:36.900 --> 1:02:37.170 Trust. 1:02:37.170 --> 1:02:37.710 Point. 1:02:37.740 --> 1:02:38.760 What was it called? 1:02:39.750 --> 1:02:40.290 Wednesday. 1:02:40.530 --> 1:02:43.530 Here I have another option, which is called RSA Key Pair. 1:02:47.020 --> 1:02:47.830 That is a keeper. 1:02:49.100 --> 1:02:49.370 Right. 1:02:50.150 --> 1:02:50.750 I'll choose it. 1:02:50.750 --> 1:02:52.130 As What was the name of the key? 1:02:55.040 --> 1:02:56.540 I'm telling my trust point. 1:02:56.690 --> 1:02:59.450 Use this set of keys to get. 1:02:59.660 --> 1:03:00.320 Get your eyes. 1:03:01.380 --> 1:03:07.890 How crypto CA not authenticate but enroll w id. 1:03:09.890 --> 1:03:11.210 It says, Enter the password. 1:03:12.800 --> 1:03:14.470 Now this password is used. 1:03:14.480 --> 1:03:14.960 I'll tell you. 1:03:14.960 --> 1:03:19.880 How do you want to include your router serial number in the in the subject name of your. 1:03:19.880 --> 1:03:20.240 I see. 1:03:20.270 --> 1:03:21.530 I don't want to do that. 1:03:21.530 --> 1:03:22.400 And IP address. 1:03:22.400 --> 1:03:24.260 I don't want to do that request. 1:03:24.260 --> 1:03:25.040 Yes. 1:03:27.020 --> 1:03:28.790 Certificate request succeeded. 1:03:32.860 --> 1:03:37.120 So crypto key certificates. 1:03:38.100 --> 1:03:39.530 This is your certificate. 1:03:39.540 --> 1:03:41.150 So this is the certificate. 1:03:41.160 --> 1:03:42.360 This is your certificate. 1:03:48.510 --> 1:03:48.690 This. 1:03:48.690 --> 1:03:51.030 Is yours valid for one year? 1:03:52.510 --> 1:03:53.620 Five and two beds. 1:03:54.990 --> 1:03:58.950 And this is your car that was there before. 1:04:00.060 --> 1:04:01.440 Again, what are the steps? 1:04:04.010 --> 1:04:04.730 Crypto. 1:04:07.010 --> 1:04:13.430 Key generate RSA Modulus 51 to label. 1:04:15.710 --> 1:04:16.180 Okay. 1:04:16.580 --> 1:04:18.380 Again, go back to the thrust point. 1:04:20.490 --> 1:04:21.480 And say what? 1:04:22.290 --> 1:04:24.660 RSA key pair is. 1:04:26.980 --> 1:04:28.120 Then the last command is what? 1:04:29.330 --> 1:04:30.950 Libtool, CA. 1:04:32.460 --> 1:04:33.270 Enrolled. 1:04:35.610 --> 1:04:38.270 And roll means go with your public. 1:04:38.480 --> 1:04:40.070 Get it signed by the CIA. 1:04:40.370 --> 1:04:43.280 The CIA will grant it, give you the certificate. 1:04:43.310 --> 1:04:44.630 Now you have the IC. 1:04:46.260 --> 1:04:47.820 Now you have the AC. 1:04:47.850 --> 1:04:49.950 I'll go and get the AC for the other guy also. 1:04:49.980 --> 1:04:50.400 How? 1:04:51.740 --> 1:04:54.410 Even if you don't specify the RSA key pair, it will still work. 1:04:54.440 --> 1:04:55.700 See crypto. 1:04:56.690 --> 1:05:00.840 CA certificate from here and roll wd. 1:05:05.450 --> 1:05:06.770 Generated its own new bit. 1:05:06.800 --> 1:05:08.150 Three, five and two key pair. 1:05:08.480 --> 1:05:11.390 If you don't specify it, it will do it automatically. 1:05:12.640 --> 1:05:15.520 You create a set of keys and go and register it with the. 1:05:17.140 --> 1:05:19.510 Earlier I specified it using the RSA key pair here. 1:05:19.510 --> 1:05:21.450 I didn't so automatically. 1:05:21.460 --> 1:05:23.080 No, no. 1:05:23.800 --> 1:05:24.370 Yes. 1:05:28.130 --> 1:05:29.270 So crypto. 1:05:29.880 --> 1:05:30.300 Is. 1:05:39.860 --> 1:05:41.930 So crypto certificate. 1:05:44.440 --> 1:05:44.710 Again. 1:05:44.710 --> 1:05:45.490 This is your first key. 1:05:45.520 --> 1:05:48.370 Five one, two bits, finger print, and everything is right here. 1:05:48.370 --> 1:05:55.660 And then you see, Now both of you have what And I see now when I create my I see camp tunnel I do not 1:05:55.660 --> 1:05:56.410 require. 1:05:58.120 --> 1:06:01.060 Appreciate I have an knack for identification. 1:06:01.450 --> 1:06:02.860 That's all I would require. 1:06:07.020 --> 1:06:08.310 R3 is registered now. 1:06:09.420 --> 1:06:10.620 R3 is registered, right? 1:06:10.740 --> 1:06:11.370 Yeah. 1:06:12.960 --> 1:06:13.860 We have commands. 1:06:13.890 --> 1:06:14.520 I agree. 1:06:14.520 --> 1:06:16.290 We have more commands than earlier. 1:06:16.320 --> 1:06:19.230 See, first of all, on the client side, how many commands do you have? 1:06:19.590 --> 1:06:21.990 One, two, three and four. 1:06:23.110 --> 1:06:24.180 On the client side. 1:06:24.190 --> 1:06:26.250 But why is it scalable? 1:06:26.260 --> 1:06:28.300 Is because my business. 1:06:28.840 --> 1:06:30.640 Now, tomorrow another guy comes in. 1:06:32.630 --> 1:06:35.500 Another guy comes in, he doesn't need a separate key with this guy. 1:06:35.540 --> 1:06:36.420 Separate key with this guy? 1:06:36.440 --> 1:06:36.650 No. 1:06:36.650 --> 1:06:38.050 All he needs to go and register with this. 1:06:38.060 --> 1:06:38.840 Yeah, he's done. 1:06:39.830 --> 1:06:40.600 Another guy comes in. 1:06:40.630 --> 1:06:41.030 Another guy. 1:06:41.030 --> 1:06:42.920 If you have 1000 people coming in. 1:06:43.010 --> 1:06:45.080 The only thing that they need to do is what? 1:06:45.470 --> 1:06:46.850 Register themselves with the key. 1:06:47.030 --> 1:06:51.440 They don't need a separate key for this guy or for this guy or for nothing like that. 1:06:51.440 --> 1:06:52.400 No configuration. 1:06:52.610 --> 1:06:56.930 All they need to do is register with the key to get their certificate done. 1:06:58.310 --> 1:06:59.330 They can communicate. 1:07:00.870 --> 1:07:01.290 Right. 1:07:02.870 --> 1:07:03.950 Let's create the tunnel. 1:07:05.450 --> 1:07:06.620 Do you remember the steps? 1:07:09.800 --> 1:07:10.060 Crypto. 1:07:15.290 --> 1:07:15.950 Encryption. 1:07:18.590 --> 1:07:19.400 Authentication. 1:07:20.870 --> 1:07:22.520 I do not require it by default. 1:07:22.520 --> 1:07:28.040 It's RSA sig, but also specified RSA sig means CA RSA signatures. 1:07:28.130 --> 1:07:28.970 Digital signatures. 1:07:30.270 --> 1:07:35.030 Right then hash the size group to. 1:07:36.190 --> 1:07:37.450 Do I need the second part? 1:07:41.360 --> 1:07:42.350 I don't need the key. 1:07:44.360 --> 1:07:45.080 Don't need the key. 1:07:46.480 --> 1:07:49.320 Step three is the IPsec. 1:07:51.180 --> 1:07:52.040 Transform said. 1:07:52.280 --> 1:07:53.220 He said. 1:08:00.170 --> 1:08:01.250 ACL would require. 1:08:03.690 --> 1:08:06.780 Access list 101 permit IP going from ten. 1:08:08.010 --> 1:08:08.410 410. 1:08:08.420 --> 1:08:08.690 One one. 1:08:11.780 --> 1:08:11.960 Winning. 1:08:12.020 --> 1:08:13.580 Two, ten 330. 1:08:18.330 --> 1:08:18.810 Crypto. 1:08:25.420 --> 1:08:28.030 Crypto map, map and PC. 1:08:30.140 --> 1:08:30.760 Said beer. 1:08:30.800 --> 1:08:33.440 150 .1.13.2. 1:08:34.720 --> 1:08:35.260 Match. 1:08:35.710 --> 1:08:36.430 Address one. 1:08:37.770 --> 1:08:39.310 Said comes from said. 1:08:41.890 --> 1:08:42.100 Today. 1:08:44.110 --> 1:08:46.810 Then interface fast Ethernet zero zero. 1:08:50.240 --> 1:08:51.160 Remember, no key. 1:08:51.170 --> 1:08:52.550 I have not specified any key. 1:09:00.730 --> 1:09:01.760 Making sure it is fast. 1:09:02.170 --> 1:09:02.640 Zero zero. 1:09:02.650 --> 1:09:04.780 Yes, it is going to are three. 1:09:05.970 --> 1:09:07.580 Need to do the same exact thing. 1:09:07.760 --> 1:09:09.500 The only thing that changes is. 1:09:10.940 --> 1:09:12.560 As it gets shifted. 1:09:13.840 --> 1:09:15.630 And here becomes. 1:09:28.720 --> 1:09:29.070 Given. 1:09:33.380 --> 1:09:33.890 Violin. 1:09:37.200 --> 1:09:37.910 Use the private. 1:09:39.610 --> 1:09:40.440 Even use 100. 1:09:41.520 --> 1:09:42.000 Why? 1:09:43.080 --> 1:09:46.980 Because here privates cannot go on the public cloud. 1:09:48.410 --> 1:09:51.650 If ten not one is encapsulated as 10.1, it will not go to the cloud. 1:09:51.650 --> 1:09:55.460 The cloud will stop it because it's the Internet there. 1:09:55.460 --> 1:09:56.390 It was not the Internet. 1:09:56.390 --> 1:09:57.740 It was a man connection. 1:09:59.140 --> 1:10:00.010 So you're not doing any. 1:10:01.760 --> 1:10:03.140 With that's actually done. 1:10:07.970 --> 1:10:13.190 But the way we configure it, we tell him that the outside pair should be one 5123 Right. 1:10:13.430 --> 1:10:15.950 That means the outside header should be one 5123. 1:10:16.620 --> 1:10:18.050 Then we don't use a set pair. 1:10:19.220 --> 1:10:23.420 You can give the loopback if you want, but you should have loop, reachability reachability. 1:10:25.430 --> 1:10:28.010 Sure, if you have reachability from this loopback to. 1:10:31.550 --> 1:10:32.240 Yes. 1:10:33.610 --> 1:10:38.430 To which direction new track appears as. 1:10:40.630 --> 1:10:40.910 Static. 1:10:42.930 --> 1:10:43.380 Isaac. 1:10:44.860 --> 1:10:47.350 It doesn't matter, but it matters. 1:10:47.910 --> 1:10:48.670 Every second matters. 1:10:48.670 --> 1:10:48.940 Is that. 1:10:51.130 --> 1:10:52.110 We'll have a look at it. 1:10:52.120 --> 1:10:52.840 Show it to me. 1:10:55.370 --> 1:10:56.330 My wireshark is running. 1:10:56.330 --> 1:10:56.750 Right. 1:10:57.740 --> 1:10:58.940 I'll send a ping to. 1:10:59.760 --> 1:11:01.170 Ten 111 with the source of. 1:11:03.100 --> 1:11:03.280 Ten. 1:11:03.280 --> 1:11:04.000 Three, three, three. 1:11:04.990 --> 1:11:05.620 Goes through. 1:11:10.660 --> 1:11:11.110 Check it out. 1:11:12.690 --> 1:11:13.440 One and two. 1:11:13.890 --> 1:11:14.640 Three and four. 1:11:15.540 --> 1:11:16.740 Four and five. 1:11:16.770 --> 1:11:18.090 Check out the sizes. 1:11:19.440 --> 1:11:21.390 638 and 606. 1:11:22.280 --> 1:11:22.670 Why? 1:11:24.250 --> 1:11:24.750 The AC. 1:11:26.390 --> 1:11:27.980 I see these are getting exchanged now. 1:11:29.090 --> 1:11:29.990 Not the BSC. 1:11:30.770 --> 1:11:31.820 BSC was small. 1:11:32.390 --> 1:11:34.280 Now full ices are getting transferred. 1:11:34.490 --> 1:11:35.810 So I'm sending you my I. 1:11:35.960 --> 1:11:36.800 You're sending me your. 1:11:36.800 --> 1:11:37.100 I see. 1:11:37.220 --> 1:11:38.540 You will only accept my. 1:11:38.540 --> 1:11:38.840 I see. 1:11:38.840 --> 1:11:41.510 If you trust the server, I will only accept your. 1:11:41.510 --> 1:11:42.920 I see if I trust the server. 1:11:44.690 --> 1:11:47.020 Make sure you understand that part right. 1:11:47.030 --> 1:11:49.670 If the other guy trusts him, then only he will accept me. 1:11:49.790 --> 1:11:53.080 If I trust him, then only I will accept the other guy's. 1:11:57.580 --> 1:11:58.060 Yes. 1:11:58.090 --> 1:12:03.160 Obviously everything, everything starting from back at four onwards is encrypted using the session. 1:12:06.320 --> 1:12:06.560 Did. 1:12:09.450 --> 1:12:10.010 Good, right? 1:12:11.200 --> 1:12:13.300 This is your server. 1:12:13.540 --> 1:12:15.970 Any questions with the configuration and everything? 1:12:24.020 --> 1:12:24.860 Any questions? 1:12:26.370 --> 1:12:27.570 Let me ask you a question. 1:12:28.440 --> 1:12:29.160 What if? 1:12:29.880 --> 1:12:30.180 What? 1:12:31.690 --> 1:12:33.190 This is one server. 1:12:34.600 --> 1:12:38.110 The Smtp server here is not an Smtp server, it's another PCI server. 1:12:38.780 --> 1:12:41.620 Let's have two PKI servers now right here and right here. 1:12:43.750 --> 1:12:44.200 One. 1:12:45.580 --> 1:12:48.100 Gets his AC from this server. 1:12:49.040 --> 1:12:50.540 R3 gets its AC from. 1:12:55.000 --> 1:12:57.460 It would will have to make it work. 1:13:03.360 --> 1:13:03.710 Great. 1:13:05.930 --> 1:13:06.880 And export the keyword. 1:13:10.260 --> 1:13:11.600 So you need R1. 1:13:12.450 --> 1:13:13.530 To trust whom? 1:13:14.170 --> 1:13:14.410 Both. 1:13:14.890 --> 1:13:15.670 Both the servers. 1:13:16.980 --> 1:13:18.670 Or one should be trusting both the servers. 1:13:18.690 --> 1:13:20.940 Our three should be trusting both the servers. 1:13:20.940 --> 1:13:26.200 So because when our one gives him the IC, it will only accept it if it's trusting the PCI server here. 1:13:27.430 --> 1:13:33.760 When our tree gives out his I our one will only understand it if it trusts whom the other. 1:13:33.780 --> 1:13:33.970 So. 1:13:37.220 --> 1:13:42.210 Authenticate both the servers enroll Only one enroll means to get the ICI. 1:13:42.930 --> 1:13:45.050 ICI will only be from one. 1:13:45.050 --> 1:13:46.850 Enrollment should be to both of them. 1:13:48.600 --> 1:13:49.950 Using different species. 1:13:50.130 --> 1:13:54.480 Cisco crypto thrust point name different names. 1:13:54.860 --> 1:14:00.520 W1W ed to enroll only one authenticate both. 1:14:01.530 --> 1:14:04.530 So you get two certificates from two different servers. 1:14:05.890 --> 1:14:06.190 Right. 1:14:06.190 --> 1:14:07.540 And then you create that. 1:14:09.430 --> 1:14:10.960 That would be what you will do. 1:14:12.110 --> 1:14:13.220 To practice this. 1:14:14.230 --> 1:14:14.650 Okay. 1:14:14.740 --> 1:14:18.010 Another one thing that I want to ask is. 1:14:19.140 --> 1:14:19.920 Right now. 1:14:19.920 --> 1:14:24.330 If I wanted to create a tunnel between R1 and the Pi server, is it possible? 1:14:27.410 --> 1:14:27.710 And I. 1:14:30.230 --> 1:14:32.240 Say the Pi server had another loopback. 1:14:38.600 --> 1:14:40.480 Uh, loopback zero. 1:14:40.490 --> 1:14:42.710 The address here is ten .4.4.4. 1:14:42.710 --> 1:14:49.160 Let's say for the labs sake I want to encrypt traffic going from 10.1 to 10.4. 1:14:50.490 --> 1:14:51.300 Is it possible? 1:14:55.260 --> 1:14:55.830 Yes. 1:14:57.280 --> 1:14:57.810 Message. 1:14:58.660 --> 1:14:59.950 I want to tunnel IPsec Tunnel. 1:15:02.950 --> 1:15:05.740 What I'll do is I'll go to that site, I'll go to this. 1:15:05.740 --> 1:15:08.170 This is, this is what I'll paste on the server. 1:15:08.380 --> 1:15:16.960 So I'll say traffic going from ten .4.4.0 going to 10.1 set here is 12.1 and I'll attach the map. 1:15:18.600 --> 1:15:19.660 From the server. 1:15:20.430 --> 1:15:20.880 Right. 1:15:20.880 --> 1:15:22.530 So let's go there. 1:15:22.740 --> 1:15:25.180 Before I do that, let me see if it is zero zero. 1:15:25.260 --> 1:15:26.310 I'm sure it is. 1:15:26.820 --> 1:15:27.690 It is zero zero. 1:15:27.690 --> 1:15:29.100 So I'll go to the PCI server. 1:15:32.770 --> 1:15:34.090 And I'll paste this. 1:15:35.770 --> 1:15:36.760 From R1. 1:15:36.760 --> 1:15:37.990 What I'll do is. 1:15:39.350 --> 1:15:42.980 I do the same, I'll create another 1 or 2. 1:15:44.070 --> 1:15:45.870 Which is from the same thing that we did earlier. 1:15:45.870 --> 1:15:48.910 We've done this before from 10.1 to 10.4. 1:15:48.930 --> 1:15:54.330 Since I cannot use the same crypto map I need, I can use the same crypto map, different sequence number 1:15:54.450 --> 1:15:54.960 here. 1:15:54.960 --> 1:15:56.580 This would be 24.4. 1:15:58.360 --> 1:15:59.290 Address will be. 1:16:00.590 --> 1:16:01.350 This is the same. 1:16:08.270 --> 1:16:08.470 Then. 1:16:09.730 --> 1:16:10.720 Will this work? 1:16:15.200 --> 1:16:15.800 Will this work? 1:16:15.830 --> 1:16:17.030 If it will. 1:16:18.060 --> 1:16:18.420 Okay. 1:16:18.420 --> 1:16:20.940 If it will not, which packet will be stopped? 1:16:29.010 --> 1:16:29.730 It will be the first. 1:16:30.450 --> 1:16:32.430 If it will not, then will be the five and six. 1:16:32.430 --> 1:16:34.920 Understandable because we are doing certificates. 1:16:35.100 --> 1:16:35.730 Yeah. 1:16:38.000 --> 1:16:39.680 Exactly the PKI server right now. 1:16:39.710 --> 1:16:40.500 Does it have an Ike? 1:16:42.020 --> 1:16:42.290 Guys. 1:16:43.020 --> 1:16:45.160 It doesn't have a nice it has a share. 1:16:45.210 --> 1:16:48.690 It has a public and a private key that is used to sign other ISIS. 1:16:51.210 --> 1:16:52.680 That is only used for signing. 1:16:54.410 --> 1:16:56.200 That is used for signing other certificates. 1:16:56.210 --> 1:16:58.790 It doesn't have its own IP, which is signed by himself. 1:16:59.840 --> 1:17:00.830 For this to work. 1:17:00.830 --> 1:17:01.940 It needs an AC. 1:17:03.240 --> 1:17:04.560 Which is signed by himself. 1:17:05.770 --> 1:17:07.570 Also, it needs to trust itself. 1:17:10.030 --> 1:17:10.330 Right. 1:17:10.330 --> 1:17:17.280 It's it needs to install its own certificate in that area in the nvram where it installs the root certificates. 1:17:18.860 --> 1:17:22.730 So you need to enroll and trust yourself for this to work. 1:17:23.240 --> 1:17:25.850 If I don't, let's see what happens. 1:17:35.470 --> 1:17:37.420 Packet number five and six. 1:17:40.180 --> 1:17:42.670 Track number five is going, but six is not coming. 1:17:42.670 --> 1:17:42.820 Why? 1:17:42.850 --> 1:17:44.260 Because I'm sending him the IC. 1:17:44.590 --> 1:17:47.220 It's not accepting it because it doesn't trust the car. 1:17:47.230 --> 1:17:51.160 It doesn't trust himself, and it doesn't have an IC to send back to me. 1:17:51.160 --> 1:17:52.120 So how do I do it? 1:17:52.120 --> 1:17:53.020 Very, very simple. 1:17:53.020 --> 1:17:54.640 I'll go to the PCA server. 1:17:57.740 --> 1:18:00.200 Certificate received from the request failed. 1:18:00.980 --> 1:18:06.530 I'll say crypto CA trust point, I'll call it anything but one. 1:18:08.460 --> 1:18:09.960 Right enrollment URL. 1:18:09.990 --> 1:18:11.160 My own address. 1:18:13.420 --> 1:18:16.780 24.4 port 80 Revocation check. 1:18:19.090 --> 1:18:28.280 Crypto to authenticate raid one to authenticate myself crypto to get an nice. 1:18:34.080 --> 1:18:35.970 I still have to tell you what this does. 1:18:38.970 --> 1:18:39.570 Yes. 1:18:40.990 --> 1:18:41.320 Now. 1:18:41.320 --> 1:18:42.340 I have received the certificate. 1:18:44.440 --> 1:18:48.100 Right now, when you receive the certificate and you try to do this again. 1:18:48.970 --> 1:18:49.120 Now. 1:18:49.150 --> 1:18:49.530 It should work. 1:18:53.870 --> 1:18:57.470 Right, because now the CIA also has a certificate to give it back to give. 1:18:57.500 --> 1:18:58.280 Back to you. 1:19:02.350 --> 1:19:02.600 Not. 1:19:02.650 --> 1:19:03.880 We won't really do it. 1:19:04.810 --> 1:19:06.430 We won't really do it in real time. 1:19:07.080 --> 1:19:08.320 So will be kept separately. 1:19:08.320 --> 1:19:13.990 But in case if you have, say, ten routers and you are having a problem with the SRC, but you want 1:19:13.990 --> 1:19:18.250 all of them to communicate to each other, you can just convert one of them into a CA quickly, real 1:19:18.250 --> 1:19:23.190 quick and give the certificates to everybody and it can also communicate at the same time. 1:19:23.200 --> 1:19:27.070 It's not like get VPN where the key server has to be different here. 1:19:27.070 --> 1:19:31.060 The CSC server as a router can also communicate to the other devices. 1:19:32.460 --> 1:19:34.020 Can create tunnels with other devices. 1:19:36.440 --> 1:19:36.680 Okay. 1:19:37.820 --> 1:19:38.540 Any questions? 1:19:39.200 --> 1:19:40.340 It started in Ouroboros. 1:19:41.540 --> 1:19:41.870 I see. 1:19:42.260 --> 1:19:42.600 I see. 1:19:42.620 --> 1:19:43.100 Stored in there. 1:19:45.020 --> 1:19:45.300 I see. 1:19:46.610 --> 1:19:46.980 I see. 1:19:47.420 --> 1:19:47.750 I see. 1:19:48.790 --> 1:19:52.410 ICAC has the public key in their eyes. 1:19:52.410 --> 1:19:54.380 See Has the subject named everything? 1:19:54.400 --> 1:19:54.910 Subject. 1:19:54.940 --> 1:19:55.270 Name. 1:19:55.320 --> 1:19:56.000 CN. 1:19:56.050 --> 1:19:58.290 Organizational Unit OU RSA. 1:19:58.330 --> 1:20:00.100 Which type of encryption you're using? 1:20:00.490 --> 1:20:03.160 All of that information along with the public key. 1:20:03.820 --> 1:20:03.950 Yeah. 1:20:04.060 --> 1:20:05.590 Complete the signature thumbprint. 1:20:05.590 --> 1:20:06.160 Everything. 1:20:12.520 --> 1:20:12.970 Real life. 1:20:12.970 --> 1:20:14.590 It's usually Microsoft servers. 1:20:19.310 --> 1:20:19.790 That would be. 1:20:23.090 --> 1:20:25.760 On Microsoft, we have a graphical user interface. 1:20:29.720 --> 1:20:30.910 There is a role, right? 1:20:31.060 --> 1:20:32.470 The servers have roles. 1:20:32.520 --> 1:20:33.210 DNS role. 1:20:33.250 --> 1:20:34.660 The role just like that. 1:20:34.660 --> 1:20:40.090 You have PKI role where you just click on it and it gives you a graphical interface of, okay, I'm 1:20:40.090 --> 1:20:41.230 a PKI server now. 1:20:41.350 --> 1:20:43.360 Now I can give out certificates. 1:20:44.200 --> 1:20:44.440 Right. 1:20:47.050 --> 1:20:47.540 No, there. 1:20:47.540 --> 1:20:48.560 You cannot create a tunnel. 1:20:49.010 --> 1:20:50.630 No, you cannot create a tunnel with that. 1:20:58.230 --> 1:20:58.530 Ken. 1:20:59.280 --> 1:20:59.570 Ken? 1:20:59.580 --> 1:20:59.760 Ken. 1:21:00.520 --> 1:21:01.060 Can easily. 1:21:01.060 --> 1:21:02.650 Can very easily can. 1:21:04.610 --> 1:21:04.810 Yeah. 1:21:04.840 --> 1:21:08.260 If you have a remote access, any client, you can do it with the. 1:21:12.890 --> 1:21:13.280 Who? 1:21:17.490 --> 1:21:18.510 Then I don't understand. 1:21:18.510 --> 1:21:19.170 What? 1:21:24.720 --> 1:21:25.720 It's okay. 1:21:26.230 --> 1:21:26.680 And then. 1:21:28.590 --> 1:21:31.200 Do you want to have a VPN in the DMZ? 1:21:31.590 --> 1:21:32.060 Okay. 1:21:33.910 --> 1:21:35.910 You can do that with the PCI server. 1:21:35.920 --> 1:21:37.270 Just trust you. 1:21:37.270 --> 1:21:38.770 Just see, the thing is. 1:21:50.590 --> 1:21:52.000 I'm showing you where this is. 1:21:52.360 --> 1:21:55.990 The thing is, with essays, you don't have to do it on the essays. 1:21:56.260 --> 1:21:59.550 When you're doing with car, you don't have to do it on the essays. 1:21:59.560 --> 1:22:03.640 You have to do it through the essays, through the essay. 1:22:04.550 --> 1:22:05.050 Yes. 1:22:05.060 --> 1:22:06.050 Transit through the air. 1:22:06.380 --> 1:22:09.200 In that case, all you need to know is which ports to open. 1:22:12.260 --> 1:22:15.320 500 and you have to open anyways for IPsec. 1:22:15.350 --> 1:22:17.060 What else do you need to open here? 1:22:18.620 --> 1:22:19.030 Open it. 1:22:19.550 --> 1:22:20.150 That's it. 1:22:21.160 --> 1:22:21.520 That's it. 1:22:22.580 --> 1:22:22.840 Open. 1:22:22.870 --> 1:22:23.750 It'll go through. 1:22:25.950 --> 1:22:27.320 When you open it, you'll go through. 1:22:28.810 --> 1:22:31.780 IPsec and ISP you have to anyways allow through the. 1:22:34.200 --> 1:22:34.590 So. 1:22:34.650 --> 1:22:35.930 No, no destination. 1:22:36.780 --> 1:22:38.250 It'll be a normal Http connection. 1:22:38.250 --> 1:22:38.820 Yes. 1:22:38.850 --> 1:22:39.900 Destination 80. 1:22:40.200 --> 1:22:42.270 You should probably have it somewhere here. 1:22:43.050 --> 1:22:43.890 When it was okay. 1:22:43.890 --> 1:22:45.870 I did not register when it was enrolling. 1:22:45.870 --> 1:22:48.050 When you're enrolling, you'll see all the requests that are going in. 1:22:48.060 --> 1:22:50.730 We'll go to port number 80 because I used Http on the other side. 1:22:50.760 --> 1:22:50.940 Right. 1:22:51.700 --> 1:22:52.150 Anyway. 1:22:53.650 --> 1:22:56.590 Going to port number 80 will go through on the AC. 1:22:56.620 --> 1:22:57.730 You don't have to do these things. 1:22:57.730 --> 1:22:59.950 The things that are on your syllabus, on the AC. 1:23:00.160 --> 1:23:01.840 I'm covering them separately later. 1:23:03.230 --> 1:23:03.740 All of them. 1:23:05.190 --> 1:23:07.140 Know from from your syllabus point of view. 1:23:08.290 --> 1:23:10.750 From the important point of view, the ones which you need. 1:23:10.930 --> 1:23:16.450 For example, easy VPN will start tomorrow, but the biggest deployment of easy VPN is from the USA. 1:23:17.470 --> 1:23:19.600 They use the ACA for easy VPN a lot. 1:23:22.010 --> 1:23:22.400 Up VPN. 1:23:22.430 --> 1:23:22.690 Yes. 1:23:22.710 --> 1:23:23.180 AnyConnect. 1:23:24.560 --> 1:23:24.980 Recovering. 1:23:24.980 --> 1:23:25.510 That's essential. 1:23:27.550 --> 1:23:28.240 Is it anymore? 1:23:28.570 --> 1:23:28.960 Yeah. 1:23:28.960 --> 1:23:29.380 Now. 1:23:29.380 --> 1:23:31.450 Now this is the. 1:23:32.020 --> 1:23:32.890 Yes, yes. 1:23:32.890 --> 1:23:35.080 Plus we have what do you call it? 1:23:35.090 --> 1:23:37.450 AnyConnect is getting more famous than easy VPN. 1:23:39.140 --> 1:23:41.720 The one which you are talking about is getting more famous. 1:23:41.720 --> 1:23:45.140 Now Secure mobility agent will be covering that a lot. 1:23:45.170 --> 1:23:47.660 It's not in your syllabus, but I will be covering that. 1:23:57.390 --> 1:23:58.230 Gwynplaine is gone. 1:24:02.560 --> 1:24:03.760 Then we got a stuff. 1:24:04.150 --> 1:24:04.900 But in case. 1:24:07.660 --> 1:24:11.380 See, in that case, The thing is, you have to understand the whole process of how it takes place. 1:24:11.410 --> 1:24:17.290 We'll also be doing tunnels, the VPN and AnyConnect using certificates. 1:24:17.860 --> 1:24:18.700 So the PIN files. 1:24:18.700 --> 1:24:21.250 So I'll be putting that file on the guide. 1:24:21.280 --> 1:24:26.200 If it doesn't have if it doesn't have that file, it won't be able to come up and register to me. 1:24:26.530 --> 1:24:26.850 Right. 1:24:26.860 --> 1:24:31.750 So when you give the file and you give the file to the GUI, then depends on what you're creating the 1:24:31.750 --> 1:24:32.120 tunnel with. 1:24:32.140 --> 1:24:35.160 If you're creating it with the RSA, you need to use the debug commands. 1:24:36.900 --> 1:24:42.010 He's become Tcpdump or Tcpdump is too much because it shows you a lot of traffic. 1:24:42.070 --> 1:24:44.930 Yeah, you cannot stop it once you start it. 1:24:44.940 --> 1:24:49.440 So you can use some other logging commands where you can see the whole exchange that is taking. 1:24:52.830 --> 1:24:54.270 No checkpoint. 1:24:54.300 --> 1:24:55.530 They have amazing logging. 1:24:55.660 --> 1:24:57.450 Checkpoint has beautiful logging. 1:24:57.450 --> 1:24:58.020 Smart log. 1:24:58.020 --> 1:24:58.380 Right. 1:24:58.590 --> 1:24:59.490 It's really nice. 1:24:59.730 --> 1:25:01.170 It doesn't have anything like that. 1:25:01.170 --> 1:25:02.310 But a is lighter. 1:25:02.310 --> 1:25:05.010 It gives you more throughput than the checkpoint. 1:25:05.740 --> 1:25:08.290 So that's why probably they haven't kept the other stuff in there. 1:25:10.070 --> 1:25:10.530 You see. 1:25:11.820 --> 1:25:12.360 20. 1:25:14.250 --> 1:25:14.630 Think. 1:25:17.530 --> 1:25:17.870 A good. 1:25:23.090 --> 1:25:23.440 Games. 1:25:25.240 --> 1:25:25.870 Yes. 1:25:34.000 --> 1:25:34.420 Okay. 1:25:36.100 --> 1:25:39.040 It is hopped off by the one in the middle? 1:25:39.050 --> 1:25:39.640 Yes. 1:25:48.430 --> 1:25:48.760 Yeah. 1:25:51.160 --> 1:25:51.840 It does. 1:25:51.850 --> 1:25:52.360 It does. 1:25:52.360 --> 1:25:55.990 But the question is, are you getting stuck in the hops? 1:25:56.520 --> 1:25:57.190 Yeah, because. 1:26:02.560 --> 1:26:02.720 In. 1:26:03.460 --> 1:26:05.320 History books is written. 1:26:07.500 --> 1:26:12.570 So but the thing is, as long as there is connectivity from the gateway until that server, it doesn't 1:26:12.570 --> 1:26:17.330 matter how many hops in the middle as long as connectivity is there, even through a proxy server, 1:26:17.340 --> 1:26:21.330 because proxy server will change the IP address, it uses its own IP address. 1:26:21.330 --> 1:26:21.650 Right? 1:26:21.660 --> 1:26:29.970 But as long as the proxy server maintains the session, your session until the and then change it, 1:26:29.970 --> 1:26:33.510 change it back to the private and move it move you to the private part. 1:26:33.720 --> 1:26:34.050 Right. 1:26:34.050 --> 1:26:38.970 Move you to as long as the proxy server can maintain the sessions, I don't think that would be a problem. 1:26:42.370 --> 1:26:42.760 Yeah. 1:26:43.300 --> 1:26:44.710 You'll be load balancing between them. 1:26:44.860 --> 1:26:45.000 Yeah. 1:26:49.410 --> 1:26:50.580 You have to reconnect again. 1:26:52.470 --> 1:26:54.690 That is, the session would be lost because of what? 1:26:56.520 --> 1:26:58.610 You have not prompted anything. 1:27:02.540 --> 1:27:02.750 Uh. 1:27:04.920 --> 1:27:06.270 Yeah, yeah, yeah. 1:27:06.270 --> 1:27:07.140 If you don't specify. 1:27:07.140 --> 1:27:07.290 Yeah. 1:27:07.290 --> 1:27:12.760 Because there will be obviously all these firewalls and all of them do not authenticate. 1:27:16.000 --> 1:27:19.060 Your details the first time because the connection is getting through. 1:27:20.200 --> 1:27:21.910 Through the proxy and through. 1:27:21.970 --> 1:27:22.210 Yeah. 1:27:22.240 --> 1:27:22.600 Yeah. 1:27:23.200 --> 1:27:23.650 First time. 1:27:23.650 --> 1:27:25.480 I think that usually happens a lot. 1:27:25.990 --> 1:27:27.000 That usually does happen. 1:27:35.160 --> 1:27:39.630 But you get this how this is done, how PCA works again, real life. 1:27:39.660 --> 1:27:43.470 You'll use a Microsoft server or any other Linux server. 1:27:43.500 --> 1:27:46.850 This is only there so that you get an idea of how it works. 1:27:46.860 --> 1:27:51.750 Plus, in a small lab environment, if you really have to do this, if you're running a problem with 1:27:51.960 --> 1:27:56.810 SRC, you'll shift quickly to PCA, becomes scalable. 1:27:56.820 --> 1:28:01.620 Now all the VPNs that you have done until now, till date, you get VPN, your VPN, your site to site, 1:28:01.620 --> 1:28:09.360 VPN, you can do all of them with PCA, you have done it with SRC, you can practice all of them with 1:28:10.140 --> 1:28:11.430 the same concept. 1:28:11.460 --> 1:28:12.510 Nothing changes. 1:28:13.340 --> 1:28:14.390 Concept remains the same. 1:28:15.690 --> 1:28:16.140 Okay. 1:28:17.290 --> 1:28:17.950 Let us begin.