1. 思科路由器的证书介绍
众所周知,证书一般用于设备向外部证明自己的身份,而路由器主要是用于数据包的路由转发,怎么会需要证书呢?
其实这取决于路由器上的一些feature,例如路由器可以作为SSL VPN GATEWAY、 IPSEC VPN GATEWAY、WEB SERVER(用于外部管理),还有就是路由器的语音模块中的Secure SRST。
思科路由器证书的获取方式主要是三种,自签发、通过复制粘贴方式向CA申请证书、通过SCEP协议向CA申请证书。
2. 自签发证书
(1)生成一对公私钥
crypto key rsa generate modulus 2048 label caowen-c2911.key(2)针对CA创建trustpoint,并填写要申请证书的基本信息
由于是自签发证书,故CA是路由器自身。
crypto pki trustpoint caowen-c2911
enrollment selfsigned
fqdn caowen-c2911.crdc.cisco.com
subject-name cn=caowen-c2911.cisco.com,ou=crdc,o=cisco,st=shanghai,c=CN
revocation-check none
rsakeypair caowen-c2911.key
eku request server-auth client-auth code-signing (3)生成自签发证书
crypto pki enroll caowen-c2911
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-1283911835.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
(4)查看key, trustpoint和证书
show crypto key mypubkey rsa caowen-c2911.key
show crypto pki trustpoint caowen-c2911
show crypto pki certificates caowen-c29113. 通过复制粘贴方式向CA申请证书
(1)生成一对公私钥
crypto key generate rsa modulus 2048 label caowen-c2911.key(2)针对CA创建trustpoint,并填写要申请证书的基本信息
crypto pki trustpoint RootCA
enrollment terminal
fqdn caowen-c2911.crdc.cisco.com
subject-name cn=caowen-c2911.cisco.com,ou=crdc,o=cisco,st=shanghai,c=CN
revocation-check none
rsakeypair caowen-c2911.key
eku request server-auth client-auth code-signing (3)获取CA本身的证书
crypto pki authenticate RootCA根据提示,复制粘贴CA证书内容到路由器上
================================================================
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDjDCCAnSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIU2hhbmdoYWkxDjAMBgNVBAoMBUNpc2NvMQ0wCwYDVQQLDARVQ1RH
MR4wHAYDVQQDDBVSb290Q0EuY3JkYy5jaXNjby5jb20wHhcNMTkwNDEwMDkyNzI3
WhcNMjkwNDA3MDkyNzI3WjBfMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdo
YWkxDjAMBgNVBAoMBUNpc2NvMQ0wCwYDVQQLDARVQ1RHMR4wHAYDVQQDDBVSb290
Q0EuY3JkYy5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDagPQ6XdkwTtu6E0PFMTGAzMtVBAW1f2CdJ0mb/WdYGsAOk9wP2htqZmrydvEe
RVoFdJHTdUOIElbK1lmue1cvBtq6ycpJninXNzo7AqI6DV2hLU3cfePknpnldY/i
k0Dow6PG+R617ojZM3HyQdjt4C4S/5ulW8HgsTXiNCLGqUE5Z2pBHThRcD54yeMy
Z63FOkM82lPfd/LaqJoTYsZrX0nAvuzPI7hvQSWMiQhRP5PSTo4PA92q7B8BRREs
QGmigRB5qNJbH+t8NE1+KakKCj2Cfw88cXfu4Mab/zJmvXCJCH6F7OstwDjh/z/1
4NBBx4/ZQdJ0A0h2J0+8Gy/nAgMBAAGjUzBRMB0GA1UdDgQWBBQjf9TEzU/V3lAE
sbT9NXU+xUQNtTAfBgNVHSMEGDAWgBQjf9TEzU/V3lAEsbT9NXU+xUQNtTAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAw5/93QgKsfqU+xEaLzMo9
mKOy8XBhAv19FKO6Kn0EdMT5tP4VKE/JrfwZasb3JM/jIwEkSL2gOCzJieavY9nl
/NsRr7HkAGcQqLX4JXNOkS8dft7cow42Je77s11zNnbC3GOiFjJICc+C2KnkLyEo
3efgW1nfKbvXCSyso5/kKtYELaivJDCKczxPKsGfIg7T8uFezzzD+EMYV06ZTqH0
9GdL5FiVHtKNdjaScJan8SjQlcKe2ogfrE1fAjbQsIN8zdnahF+ZB5oMbyESugAf
c/wXj+5keFMAWrw4LJkCVbHIFh1FWuMsKKyiLLUh3lWCDoO7OfYKUEvGyAu2bHMc
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 2975D954 77ADD97B 7BEDD9B7 FF3B2A0E
Fingerprint SHA1: FAA719D5 9D03FE91 0706AA5C 741C4087 908BC55F
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported(4)生成路由器的CSR
crypto pki enroll RootCA根据提示,显示生成的路由器CSR文件内容
===============================================================================
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=caowen-c2911.cisco.com,ou=crdc,o=cisco,st=shanghai,c=CN
% The subject name in the certificate will include: caowen-c2911.crdc.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIC8zCCAdsCAQAwgYwxCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhzaGFuZ2hhaTEO
MAwGA1UEChMFY2lzY28xDTALBgNVBAsTBGNyZGMxHzAdBgNVBAMTFmNhb3dlbi1j
MjkxMS5jaXNjby5jb20xKjAoBgkqhkiG9w0BCQIWG2Nhb3dlbi1jMjkxMS5jcmRj
LmNpc2NvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMha9ey
laKYQZsYXKpRiXhQwhVtZvjd3rKxaeAaj7jlFTFuPdlLRdNoqZvGU7YJv2PQMkx/
EsIzpu5EVmTEvG9Z7YjSuIYX82TTU1U75R5Or6FA4yG3jX0JM6VPmqBgFWzJ9YTd
y0WtVsESAv3jKw1VeQKbpMawepCzdBVlt0UmxyvNwCm1FkhGghrCn1VcCU0KJF1T
7gBEEZbtxNAZPCKwPR+qCDWESxWPW6W6JURPgVAsbYRBYFJp0F39u6FoAY6pnLpD
RoOPYUOUPAyZX8t7Nk1aKbypq8AqnOkvvGyY3eWOobdQUmY4RO2VPVFCVy+HwMSR
m38JDlNIxb412gUCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQD
AgWgMA0GCSqGSIb3DQEBBQUAA4IBAQA5OkNLjeWdJYzAGZO7mj+ilAYzFYrm+IYP
gSq7qoJ7LcsCbv10NYnIYf+QURs+DacyOQtj5oIwFZlRzUhj8++R2lEMBVCEEeED
4Gzj5tq6MNYl7H/c1MSAlrz9y75cF6XDNvJnVTMF1lM+ySWuhPgnvrzGV2+C1/cC
Wze3o27tjQCzZqgmsiEttf65K8DBOL1HIZNJp6QX/HWxkyqUi9QZsYuVoqpPtZOn
lOyMPi0aoUvXZxL0ft8Yi4V5tY4IXCfU+fHOlPfJqxuLpX6PdL86wn8IyZ8BCip4
MfV5ASOrApxwG1mJ3OeryLZ7CRMY7iub4x3N4dqZQC5avckVGNDs
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no(5)复制路由器CSR内容到RootCA,RootCA签发此CSR,形成路由器的证书
该步骤请参考我的另一篇文档:利用openssl作CA来颁发证书。
(6)导入路由器证书到路由器
crypto pki import RootCA certificate复制粘贴路由器证书内容到控制台
================================================================
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIBCDANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIU2hhbmdoYWkxDjAMBgNVBAoMBUNpc2NvMQ0wCwYDVQQLDARVQ1RH
MR4wHAYDVQQDDBVSb290Q0EuY3JkYy5jaXNjby5jb20wHhcNMTkwNDE5MDcxNDQ5
WhcNMjkwNDE2MDcxNDUwWjBgMQswCQYDVQQGEwJDTjERMA8GA1UECBMIc2hhbmdo
YWkxDjAMBgNVBAoTBWNpc2NvMQ0wCwYDVQQLEwRjcmRjMR8wHQYDVQQDExZjYW93
ZW4tYzI5MTEuY2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAoyFr17KVophBmxhcqlGJeFDCFW1m+N3esrFp4BqPuOUVMW492UtF02ipm8ZT
tgm/Y9AyTH8SwjOm7kRWZMS8b1ntiNK4hhfzZNNTVTvlHk6voUDjIbeNfQkzpU+a
oGAVbMn1hN3LRa1WwRIC/eMrDVV5ApukxrB6kLN0FWW3RSbHK83AKbUWSEaCGsKf
VVwJTQokXVPuAEQRlu3E0Bk8IrA9H6oINYRLFY9bpbolRE+BUCxthEFgUmnQXf27
oWgBjqmcukNGg49hQ5Q8DJlfy3s2TVopvKmrwCqc6S+8bJjd5Y6ht1BSZjhE7ZU9
UUJXL4fAxJGbfwkOU0jFvjXaBQIDAQABo4IBlzCCAZMwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUs5MKfp4N2YC+cc792/7cyJlalTQwgYgGA1UdIwSBgDB+gBQjf9TE
zU/V3lAEsbT9NXU+xUQNtaFjpGEwXzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNo
YW5naGFpMQ4wDAYDVQQKDAVDaXNjbzENMAsGA1UECwwEVUNURzEeMBwGA1UEAwwV
Um9vdENBLmNyZGMuY2lzY28uY29tggEBMA4GA1UdDwEB/wQEAwID6DAWBgNVHSUB
Af8EDDAKBggrBgEFBQcDATCBsAYDVR0RBIGoMIGlgh5jYW93ZW4taXBzZWN2cG4u
Y3JkYy5jaXNjby5jb22CHGNhb3dlbi1zc2x2cG4uY3JkYy5jaXNjby5jb22CGmNh
b3dlbi1zcnN0LmNyZGMuY2lzY28uY29tghljYW93ZW4tY21lLmNyZGMuY2lzY28u
Y29thwQKSmF+hwRkZQD+hxAgAQAQAHQAlwAAAAAAAAEmhxAgAQEAAQEAAAAAAAAA
AAJUMA0GCSqGSIb3DQEBCwUAA4IBAQAgaAGMAaeBYqZ/esOdZhO+AkNEkvdJYN4j
NXkKVkgawEM25J+dHFAUQE22MNrbUek72U3NVexeuDcIZcIxo4NSmx3SszKJ7gEQ
OKH5MoTH5CPnfVzhUTyxYQhIJTVoE3wrOtwmhQQPixa5sBOj/C/DkwRAdiPRf3Na
D87owoYerjAx9MO6n2r0jxIdPLCNQOd96G7MZDASQYWXjE/SZQHn3FFidLe752bp
703Xlocyd3q34ITp1puQK4YnqOm82tbvEuQdwMMWc+dmpBx6gHU3oGZJ7WI2kKQb
zH7zmt1+ha2zgeweAMAVldIclFNiJWtvlFEPJM05ZBV9GmiS8gOI
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported(7)查看RootCA和路由器的证书
show crypto pki certificates RootCA4. 通过SCEP协议向CA申请证书
(1)生成一对公私钥
crypto key generate rsa modulus 2048 label caowen-c2911-scep.key(2)针对CA创建trustpoint,并填写要申请证书的基本信息
crypto pki trustpoint RootCA-SCEP
enrollment url http://10.74.97.118:80
fqdn caowen-c2911-scep.crdc.cisco.com
subject-name cn=caowen-c2911-scep.crdc.cisco.com,ou=crdc,o=cisco,st=shanghai,c=CN
subject-alt-name caowen-c2911-scep.crdc.cisco.com
revocation-check none
rsakeypair caowen-c2911-scep.key
eku request server-auth client-auth code-signing (3)获取CA本身的证书
crypto pki authenticate RootCA-SCEP(4)通过SCEP协议向CA在线申请证书
crypto pki enroll RootCA-SCEP(5)查看key, trustpoint和证书
show crypto key mypubkey rsa caowen-c2911-scep.key
show crypto pki trustpoint RootCA-SCEP
show crypto pki certificates RootCA-SCEP