hostname myrouter
ip do
-name test.com crypto key generate rsa
!---生成密钥对
建议密钥长度不低于1024位可用sh cry key mypubkey rsa来检查所生成
公钥私钥出于目是不可查看 crypto ca identity myca
enrollment mode ra
enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll
crl optional
!---enrollment mode ra定义CA登记
方式采用RA(Registration Authority)方式如采用 2000做CA中心应采用RA登记方式 !---crl optional定义即使在CRL(Cert
icate Revocation List)不可用时也能接收对方证书 !---enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll句定义了CA中心
URL地址
这里我介绍说明
下
使用了他专有SCEP(Simple Certicate Enrollment Protocol)来和CA中心联系获取根证书WIN2KCA服务缺省没有对SCEP支持需要WIN2K resource kit中个附加工具Cep
up.exe安装完后才能在IE中对http://192.168.0.2:80/certsrv/mscep/mscep.dll进行引用 crypt ca authenticate myca
!---获取CA中心
证书大概提示如下: Cert
icate has the following attributes: Fingerpr
: 1FCDF2C8 2DEDA6AC 4819D4C4 B4CFF2F5 % Do you accept this cert
icate? [yes/no]: y !---可通过访问http://192.168.0.2:80/certsrv/mscep/mscep.dll来获得CA证书
fingerpr通过比较这两个fingerpr来确认CA中心身份有效性 !---在获取到CA中心
证书后可用show cry ca cert来检查CA Certicate ...
CA Cert
icate Status: Available
Cert
icate Serial Number: 4C38D9568E6C16874378C4D466F3DDB7 Key Usage: Signature
...
crypt ca enroll myca
!---发送公钥给CA中心并获取器自身
证书大概提示如下: % Start cert
icate enrollment .. % Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your cert
icate. For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re−enter password:
% The subject name in the cert
icate will be: myrouter.test.com % Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: n
Request cert
icate from CA? [yes/no]: y % Cert
icate request sent to Certicate Authority % The cert
icate request fingerpr will be displayed. % The 'show crypto ca cert
icate' command will also show the fingerpr. myrouter(config)# Fingerpr
: A1D6C28B 6575AD08 F0B656D4 7161F76F 3d09h: CRYPTO_PKI: status = 102: cert
icate request pending !---注意上面
Password部分我就在这里折腾了半天这个口令叫做enrollment challenge password是由CA提供在这里你又需要在IE中键入http://192.168.0.2:80/certsrv/mscep/mscep.dll获取此password然后将这个challenge password粘贴复制到口令提示处需要注意是这个口令是个OTP(One Time Password)口令有效期为60分钟 申请完后再次show cry ca cert
可看到Certicat状态为Pending: Cert
icate Status: Pending
在CA中心
Pending Requests处可找到这个待申请证书然后选择Issue发布此证书在器上过段时间后会收到类似如下提示信息: 3d09h: %CRYPTO−6−CERTRET: Cert
icate received from Certicate Authority 此时再show cry ca cert
可看到Certicat状态为Available: Cert
icate Status: Available
在配置过程中需要注意
几个东西有: 1、CA认证对系统时间很敏感
有条件话尽量在CA中心和CA客户端上使用NTP进行时间同步 2、CA认证
大概配置步骤为: * 定义CA中心
相关鉴别信息 * 获取CA中心
证书 * 生成公钥/私钥对
* 将公钥发送给CA中心并获取自身证书
* 分发证书并验证证书
有效性 3、
次性口令时限问题 另外再发
个参考文档写得很细不错:Enrolling for Cert
icates from a Routerhttp://www.tburke.net/info/reskittools/topics/mscep_enrolling.htm
最新评论