Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated.
The trust-anchor-profile command determines whether the server must be authenticated by the client.
One of the following configurations can be used to establish server connectivity:
If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.
If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:
time validity
The certificate is checked to ensure that it is not expired or not yet valid.
certificate type
The certificate is not a CA certificate.
keyUsage extension
If present, this must contain a digital signature and key encryption.
host verification
The IP address or DNS name of the server is looked up, if available, in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.