IOS-CA 服务器配置及 SCEP 在线认证实验

实验 1:
1. 利用一台思科路由器配置成 CA 服务器.
2. 利用 SCEP 来向 CA 服务器申请证书.
3. 利用证书来实现 L2L VPN.

证书的申请过程:
1. 客户产生密钥对.
2. 获取 CA 服务器证书(服务器公钥).即认证 CA 服务器,信任 CA 的过程.
3. 客户提交证书申请,内容至少包括:个人信息和公钥.
4. CA 服务器签名证书
5. CA 服务器颁发证书给最终用户

第一步: (相当重要!!)
NTP 配置 // 注意: Ntp 只同步时间,不同步时区!每一台路由器要先配置时区!
CA 服务器配置:
CA(config)#clock timezone GMT +8
CA#clock set 16:60:30 26 jan 2010
CA(config)#ntp master
CA(config)#ntp authentication-key 1 md 5 cisco
CA(config)#ntp trusted-key 1
R1 NTP 配置 .
R1 (config)#clock timezone GMT +8
R1 (config)#ntp authentication-key 1 md 5 cisco
R1 (config)#ntp trusted-key 1
R1 (config)#ntp server 202.100.1.100 key 1
CA 服务器配置:
CA(config)#ip http server //因为 SECP 是通过 http 来实现. 如果中间设备有防火墙,要注意
放行 80 端口.
CA(config)#ip domain name cisco.com
CA(config)#crypto pki server CA
CA(cs-server)#issuer-name cn=CA.cisco.com, c=CN, l=JiNan
CA(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

Jan 26 03:52:10.075: %SSH-5-ENABLED: SSH 1.99 has been enabled

% Certificate Server enabled.
CA(cs-server)#
Jan 26 03:52:12.547: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA(cs-server)#
CA#show crypto pki server
Certificate Server CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=CA.cisco.com, c=CN, l=JiNan
CA cert fingerprint: 09047506 244CE5BD EB495114 F4F7FE3E
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 11:52:11 GMT Jan 25 2013
CRL NextUpdate timer: 17:52:12 GMT Jan 26 2010
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
CA#dir nvr
CA#dir nvram:
Directory of nvram:/

123 -rw- 1165 <no date> startup-config

124 ---- 24 <no date> private-config
1 -rw- 0 <no date> ifIndex-table
2 -rw- 32 <no date> CA.ser
3 -rw- 251 <no date> CA.crl
4 -rw- 1651 <no date> CA_00001.p12

129016 bytes total (122655 bytes free)

CA#
R1 配置:
R1(config)#ip domain name cisco.com
R1(config)#crypto key generate rsa
The name for the keys will be: R1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#
Jan 26 03:56:10.537: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip domain name cisco.com
R1(config)#cr
R1(config)#cry
R1(config)#crypto pki tru
R1(config)#crypto pki trustpoint CA // 定义信任点
R1(ca-trustpoint)#enrollment url http://202.100.1.100
R1(ca-trustpoint)#sub
R1(ca-trustpoint)#subject-name cn=R1.cisco.com //自己的信息
R1(ca-trustpoint)#revo
R1(ca-trustpoint)#revocation-check crl // 吊销列表 crl
R1(ca-trustpoint)#exit
R1(config)#
R2 的配置同上!
R1 认证 CA 服务器过程(获取根证书)
R1(config)#crypto pki authenticate CA
Certificate has the following attributes:
Fingerprint MD5: 09047506 244CE5BD EB495114 F4F7FE3E//用来和 CA 对比.确认
CA 的身份
Fingerprint SHA1: 9403D4FD 7023F581 DD7D1A6C FB6DCA31 C333D9D4

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
R1(config)#exit
R1#show cr
Jan 26 04:00:25.863: %SYS-5-CONFIG_I: Configured from console by console
R1#show cry pki cer
R1#show cry pki certificates //在 R1 上查看获取到的 CA 证书.
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CA.cisco.com
c=CN
l=JiNan
 Subject:
cn=CA.cisco.com
c=CN
l=JiNan
Validity Date:
start date: 11:52:11 GMT Jan 26 2010
end date: 11:52:11 GMT Jan 25 2013
Associated Trustpoints: CA

R1#
R2 配置同上:
R1 申请个人证书:
R1(config)#crypto pki enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: cn=R1.cisco.com

% The subject name in the certificate will include: R1.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: JAB0446C0L2
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.

R1(config)#
Jan 26 04:04:05.495: CRYPTO_PKI: Certificate Request Fingerprint MD5: 4FEEE572
873FE9D0 ADEC1FCD 4F29843D
Jan 26 04:04:05.507: CRYPTO_PKI: Certificate Request Fingerprint SHA1: CCF127F3
459ACA14 4DC498FC 87BEB260 68F729B8
R1(config)#
R2 的配置同上!
CA 服务器查看并且颁发证书!
CA#crypto pki server CA info requests //查看
Enrollment Request Database:

Subordinate CA certificate requests:

ReqID State Fingerprint SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------

Router certificates requests:

ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending AF5B0731DE3D397E8FE2F495EB2F21FE
serialNumber=JAB0446C0L2+hostname=R2.cisco.com,cn=R2.cisco.com
1 pending 4FEEE572873FE9D0ADEC1FCD4F29843D
serialNumber=JAB0446C0L2+hostname=R1.cisco.com,cn=R1.cisco.com

CA# crypto pki server CA grant all //制作并颁发证书

CA#crypto pki server CA info requests
The Enrollment Request Database is empty.
这时,R1, R2 会有这样的提示:
Jan 26 14:43:33.337: %PKI-6-CERTRET: Certificate received from Certificate Authority
这时查看:
R1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=CA.cisco.com
l=JiNan
Subject:
Name: R1.cisco.com
Serial Number: JAB0446C0L2
serialNumber=JAB0446C0L2+hostname=R1.cisco.com
cn=R1.cisco.com
Validity Date:
start date: 22:43:17 GMT Jan 26 2010
end date: 22:43:17 GMT Jan 26 2011
Associated Trustpoints: CA

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
 cn=CA.cisco.com
l=JiNan
Subject:
cn=CA.cisco.com
l=JiNan
Validity Date:
start date: 22:38:36 GMT Jan 26 2010
end date: 22:38:36 GMT Jan 25 2013
Associated Trustpoints: CA
会看到有二个证书,一个是自己的,一个是 CA 的..

省略 L2L IPSEC 的最基本配置:

Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R1#ping 2.2.2.2 so 1.1.1.1 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 91 percent (91/100), round-trip min/avg/max = 76/145/212 ms

证书的申请方式主要有三种:
SCEP : 在线
PKCS#10 : 离线认证
WEB : 微软的 web 认证.

后面我再利用 PKCS#10 离线认证来实现 L2L VPN!.