Professional Documents
Culture Documents
实验 1:
1. 利用一台思科路由器配置成 CA 服务器.
2. 利用 SCEP 来向 CA 服务器申请证书.
3. 利用证书来实现 L2L VPN.
证书的申请过程:
1. 客户产生密钥对.
2. 获取 CA 服务器证书(服务器公钥).即认证 CA 服务器,信任 CA 的过程.
3. 客户提交证书申请,内容至少包括:个人信息和公钥.
4. CA 服务器签名证书
5. CA 服务器颁发证书给最终用户
第一步: (相当重要!!)
NTP 配置 // 注意: Ntp 只同步时间,不同步时区!每一台路由器要先配置时区!
CA 服务器配置:
CA(config)#clock timezone GMT +8
CA#clock set 16:60:30 26 jan 2010
CA(config)#ntp master
CA(config)#ntp authentication-key 1 md 5 cisco
CA(config)#ntp trusted-key 1
R1 NTP 配置 .
R1 (config)#clock timezone GMT +8
R1 (config)#ntp authentication-key 1 md 5 cisco
R1 (config)#ntp trusted-key 1
R1 (config)#ntp server 202.100.1.100 key 1
CA 服务器配置:
CA(config)#ip http server //因为 SECP 是通过 http 来实现. 如果中间设备有防火墙,要注意
放行 80 端口.
CA(config)#ip domain name cisco.com
CA(config)#crypto pki server CA
CA(cs-server)#issuer-name cn=CA.cisco.com, c=CN, l=JiNan
CA(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
R1(config)#
Jan 26 03:56:10.537: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip domain name cisco.com
R1(config)#cr
R1(config)#cry
R1(config)#crypto pki tru
R1(config)#crypto pki trustpoint CA // 定义信任点
R1(ca-trustpoint)#enrollment url http://202.100.1.100
R1(ca-trustpoint)#sub
R1(ca-trustpoint)#subject-name cn=R1.cisco.com //自己的信息
R1(ca-trustpoint)#revo
R1(ca-trustpoint)#revocation-check crl // 吊销列表 crl
R1(ca-trustpoint)#exit
R1(config)#
R2 的配置同上!
R1 认证 CA 服务器过程(获取根证书)
R1(config)#crypto pki authenticate CA
Certificate has the following attributes:
Fingerprint MD5: 09047506 244CE5BD EB495114 F4F7FE3E//用来和 CA 对比.确认
CA 的身份
Fingerprint SHA1: 9403D4FD 7023F581 DD7D1A6C FB6DCA31 C333D9D4
R1#
R2 配置同上:
R1 申请个人证书:
R1(config)#crypto pki enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
R1(config)#
Jan 26 04:04:05.495: CRYPTO_PKI: Certificate Request Fingerprint MD5: 4FEEE572
873FE9D0 ADEC1FCD 4F29843D
Jan 26 04:04:05.507: CRYPTO_PKI: Certificate Request Fingerprint SHA1: CCF127F3
459ACA14 4DC498FC 87BEB260 68F729B8
R1(config)#
R2 的配置同上!
CA 服务器查看并且颁发证书!
CA#crypto pki server CA info requests //查看
Enrollment Request Database:
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CA.cisco.com
l=JiNan
Subject:
cn=CA.cisco.com
l=JiNan
Validity Date:
start date: 22:38:36 GMT Jan 26 2010
end date: 22:38:36 GMT Jan 25 2013
Associated Trustpoints: CA
会看到有二个证书,一个是自己的,一个是 CA 的..
证书的申请方式主要有三种:
SCEP : 在线
PKCS#10 : 离线认证
WEB : 微软的 web 认证.