hostname myrouter
ip do-name test.com
crypto key generate rsa
!---生成密钥对建议密钥长度不低于1024位可用sh cry key mypubkey rsa来检查所生成公钥私钥出于目是不可查看
crypto ca identity myca
enrollment mode ra
enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll
crl optional
!---enrollment mode ra定义CA登记方式采用RA(Registration Authority)方式如采用 2000做CA中心应采用RA登记方式
!---crl optional定义即使在CRL(Certicate Revocation List)不可用时也能接收对方证书
!---enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll句定义了CA中心URL地址
这里我介绍说明下使用了他专有SCEP(Simple Certicate Enrollment Protocol)来和CA中心联系获取根证书WIN2KCA服务缺省没有对SCEP支持需要WIN2K resource kit中个附加工具Cepup.exe安装完后才能在IE中对http://192.168.0.2:80/certsrv/mscep/mscep.dll进行引用
crypt ca authenticate myca
!---获取CA中心证书大概提示如下:
Certicate has the following attributes:
Fingerpr: 1FCDF2C8 2DEDA6AC 4819D4C4 B4CFF2F5
% Do you accept this certicate? [yes/no]: y
!---可通过访问http://192.168.0.2:80/certsrv/mscep/mscep.dll来获得CA证书fingerpr通过比较这两个fingerpr来确认CA中心身份有效性
!---在获取到CA中心证书后可用show cry ca cert来检查CA Certicate
...
CA Certicate
Status: Available
Certicate Serial Number: 4C38D9568E6C16874378C4D466F3DDB7
Key Usage: Signature
...
crypt ca enroll myca
!---发送公钥给CA中心并获取器自身证书大概提示如下:
% Start certicate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certicate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re−enter password:
% The subject name in the certicate will be: myrouter.test.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: n
Request certicate from CA? [yes/no]: y
% Certicate request sent to Certicate Authority
% The certicate request fingerpr will be displayed.
% The 'show crypto ca certicate' command will also show the fingerpr.
myrouter(config)# Fingerpr: A1D6C28B 6575AD08 F0B656D4 7161F76F
3d09h: CRYPTO_PKI: status = 102: certicate request pending
!---注意上面Password部分我就在这里折腾了半天这个口令叫做enrollment challenge password是由CA提供在这里你又需要在IE中键入http://192.168.0.2:80/certsrv/mscep/mscep.dll获取此password然后将这个challenge password粘贴复制到口令提示处需要注意是这个口令是个OTP(One Time Password)口令有效期为60分钟
申请完后再次show cry ca cert可看到Certicat状态为Pending:
Certicate
Status: Pending
在CA中心Pending Requests处可找到这个待申请证书然后选择Issue发布此证书在器上过段时间后会收到类似如下提示信息:
3d09h: %CRYPTO−6−CERTRET: Certicate received from Certicate Authority
此时再show cry ca cert可看到Certicat状态为Available:
Certicate
Status: Available
在配置过程中需要注意几个东西有:
1、CA认证对系统时间很敏感有条件话尽量在CA中心和CA客户端上使用NTP进行时间同步
2、CA认证大概配置步骤为:
* 定义CA中心相关鉴别信息
* 获取CA中心证书
* 生成公钥/私钥对
* 将公钥发送给CA中心并获取自身证书
* 分发证书并验证证书有效性
3、次性口令时限问题
另外再发个参考文档写得很细不错:
Enrolling for Certicates from a Router
http://www.tburke.net/info/reskittools/topics/mscep_enrolling.htm
最新评论