Ruijie Networks—CA Digital Certificate Configuration—Router Apply for Certificate Offline

Table of contents

Features

Get steps

1. Networking requirements

2. Network topology

3. Configuration points

4. Configuration steps

5. Configuration verification

"appendix"

---

 

Features

The router obtains the digital certificate through offline application. Using this method, the router does not need to communicate with the CA server.

Get steps

1) The router generates the CERTIFICATE REQUEST request code by registering the root certificate (step 4)

2) Return the REQUEST request code to the client, and the client generates a router certificate through the request code.

3) After obtaining the router certificate, add the CA root certificate provided by the customer to complete the certificate import work

1. Networking requirements

The router obtains the digital certificate through offline application.

2. Network topology

none

3. Configuration points

1. Confirm whether the router’s system time is correct

2. Configure trustpoint to define a certificate authority

3. Register the root certificate, generate a Request request code, and submit it to the customer. The customer provides the router certificate.

4. Import the router certificate and CA certificate provided by the customer (no need for us to provide any information, the customer can export it at any time) to the router.

5. Configure to ignore certificate validity and time checks (optional)

4. Configuration steps

1. Confirm whether the router’s system time is correct

Ruijie#show clock

05:01:40 UTC Thu, Mar 6, 2003

Note: The certificate involves attributes such as the revocation list and the validity period of the certificate, which are associated with time. Before making the certificate, you need to ensure that the time is synchronized.

If conditions permit, it is recommended to set up NTP.

2. Configure trustpoint to define a certificate authority

Internet(config)# crypto pki trustpoint ruijie   //The name is ruijie

Internet(ca-trustpoint)#revocation-check none      //Do not check the revocation list

Internet(ca-trustpoint)# enrollment offline   //Define the method to apply for a certificate offline

You are about to be asked to enter you Distinguished Name(DN) information that will be incorporated into

your certificate request. There are quite a few fields but you can leave some blank       //Set the DN information of the offline certificate

Common Name (eg, YOUR name) []:tac                      //Your first and last name

Organizational Unit Name (eg, section) []:tac  //Your organizational unit name

Organization Name (eg, company) []:ruijie  //Your company

Locality Name (eg, city) []Fuzhou //Your city

State or Province Name (full name) []: Fujian  //Your province

Country Name (2 letter code) [CN]:CN //Your country code

The subject name is: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CN

Is it correct[yes/no]:yes  //Confirm the DN information . The [] options above can be set at will.

Internet(ca-trustpoint)#

3. Register the root certificate, generate a Request request code, and submit it to the customer. The customer provides the router certificate.

Internet(config) #crypto pki enroll ruijie

Choose the size of the key modulus in the range of 384 to 2048 for your General Purpose Keys.

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[1024]: //You can press Enter here

%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3

-----BEGIN CERTIFICATE REQUEST-----

MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UE

ChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOB

jQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEs

RU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5

trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAA

MA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFx

t4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTt

OY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJ

r55w

-----END CERTIFICATE REQUEST-----

% Enter PEM-formatted CA certificate.

% End with a blank line or "quit" on a line by itself.

//Press Enter here. This step is just to obtain the request code of the request in the red part above. After pressing Enter, it will prompt that the certificate import failed. It doesn't matter.

CA certificate decode fail.

CA certificate import fail.

enroll offline failed.

4. Import the router certificate and CA certificate provided by the customer (no need for us to provide any information, the customer can export it at any time) to the router.

Internet(config))# crypto pki enroll ruijie

router already has RSA key pair,

%% Do you want to generate a new private key?[yes/no]:no

%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3

-----BEGIN CERTIFICATE REQUEST-----

MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UE

ChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOB

jQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEs

RU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5

trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAA

MA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFx

t4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTt

OY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJ

r55w

-----END CERTIFICATE REQUEST-----

% Enter PEM-formatted CA certificate.

% End with a blank line or "quit" on a line by itself. //Paste the CA root certificate provided by the customer

-----BEGIN CERTIFICATE-----

 MIIDTzCCAjegAwIBAgIQN55wTyRR+5FLPBhQ7hYWDDANBgkqhkiG9w0BAQUFADA6

 MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsG

 A1UEAxMEQ05DQzAeFw0xNTA0MjAwMTUxMTFaFw0yNTA0MjAwMjAxMTBaMDoxEzAR

 BgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbmNjMQ0wCwYDVQQD

 EwRDTkNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCjE7U9YVzco

 3Gm3nj1NiyqCFiUcj9eYMTV+Ma5SgcRbkZkQxBl1/OfnnJwrB3tolieWXjFOdVNc

 h4Z0fSMzgFqjv0q4VXa9H7R+LoRKUYB07beQ33YdVu1AobpgpLFadzkg5gRYcvm/

 xa0Z7LIvAZ3yR6zY4HwaevCUrdxn5PeUg77fVg2COWh1Esqw4sBxXhrCfFCWGmhY

 b8n1q4WiHqjk/UB4C0o6bOrvJ93q/5RQqsj95xtLb1AXmbUT8DV8Roa9mm5YJT/b

 BgvNNQijApuoRXK5pLIimU1Ie89vK7LlaetuePNsXr+mW7Ya9EsVRcbYJKKQ47vG

 r9jIwrSe5QIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAd

 BgNVHQ4EFgQU/svlla2w9YaRIxYCw+JTCMRKuhEwEAYJKwYBBAGCNxUBBAMCAQAw

 DQYJKoZIhvcNAQEFBQADggEBAHhFt+r4gTjZ7L1dxqDwnBOaGAEsM/LoimjhNVG7

 lgIbPHO7cMDbFj56yngkKSI/si8Y6TBwmPo9IhTHvNUh66pxEhxzs/8kPOJilFqq

 xZLmmYInT1TJQoDWBr7gmsec3lmKL+2s8AgGnHa+PYWrodT+ZWCHLe7gZDjyjYRL

 HSqmSJHp5QvRUg2DziXhqmoGrIxbXpOSynJSdXTTXHByj17dv6LRY09/6rxx/Uyi

 PEO3q5PrQ3xPluBfNnaTGpEVAK+i64TDVNPuM9y2ULRWRP/mWACw7y8uSv0fpr7Q

 HkNaxXcbzuUvWmWEGkuKDBf45Qg5a3Gvr+Ua++O935lDzOU=

 -----END CERTIFICATE-----

 quit   //Enter quit

Certificate has the following attributes:

MD5 fingerprint: 90AD60A5 DFEA40D0 1F97E9BD 6CA8589F

SHA1 fingerprint: 6848FBC4 CF53FA89 BE239913 5F705F2E 239A3850

%% Do you accept this certificate?[yes/no]:y

% CA Certificate successfully readed

%% All ca certificate imported?[yes/no]: y   

% Enter PEM-formatted certificate.   //Prompt to start pasting the router certificate provided by the customer

% End with a blank line or "quit" on a line by itself.

 - ----BEGIN CERTIFICATE-----

 MIIDkTCCAnmgAwIBAgIKI5QMNwAAAAACkzANBgkqhkiG9w0BAQUFADA6MRMwEQYK

 CZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxME

 Q05DQzAeFw0xNTExMDMwNzM5NDlaFw0xNjExMDMwNzQ5NDlaMFsxCzAJBgNVBAYT

 AkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQwwCgYDVQQK

 EwNhYmMxDDAKBgNVBAsTA2FiYzEMMAoGA1UEAxMDYWJjMIGfMA0GCSqGSIb3DQEB

 AQUAA4GNADCBiQKBgQCuo1ySdhYkgslH+iu1dSXtNKenEKgJ90qPzPKb6jsc35Rs

 mO9Pj/H8zj9WAnoiAYuugyHcyAqQ8EguzV9q+bCebB6pCglpRl1sEGumXj5WJUUP

 cgxZNyuOCq561TX3CR/HyEO05xWKQcSfjFZNOJG5DlDRCWeuwT+oVYKGLRNuNwID

 AQABo4H7MIH4MB0GA1UdDgQWBBTVuwmuQSp8yd77A7h22q7lc65F+jAfBgNVHSME

 GDAWgBT+y+WVrbD1hpEjFgLD4lMIxEq6ETA7BgNVHR8ENDAyMDCgLqAshipmaWxl

 Oi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvQ05DQy5jcmwwVgYIKwYBBQUH

 AQEESjBIMEYGCCsGAQUFBzAChjpmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRF

 bnJvbGwvV0lOLUFRSzFDN0czMTlWX0NOQ0MuY3J0MCEGCSsGAQQBgjcUAgQUHhIA

 VwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQADggEBABLTyq2tAkpJMsgJ

 Frfkh2QBgA6DCsFN5kDk4Fps15TrGfQSZf+xgKSBRNNrSQP0Y/X/Gke8rEugv55Q

 C/LsuWrKQHKadfptU4J4tvsc2WhIgLPzdvUKZqqeB4ySbAjJTQ2FSXvgDvyDdlQr

 68URrT7ji5ghm+596Dz+xLtIfX7b55gXSfZLHDhI1ISojOtgL4D2JWFUkv1CKvHJ

 N1YAj8UfzmKnQQDcNS1eFRQ1GddwfuD6pJ0KdSEPYG4iBCFAmqc/6YByFOVgx+Jl

 s2Jrrt9/MpQ3VKhBgOnCjgBiaIDagZGR3AVZBZ9fXvfiCcy6DOm87k1ZvvV56fbs

 pEjQgHM=

 -----END CERTIFICATE-----

 quit   //Enter quit to exit.

% Router Certificate successfully imported

5. Configure to ignore certificate validity and time checks (optional)

crypto pki trustpoint ruijie //Enter the corresponding trustpoint of the certificate

    time-check none //Turn off certificate time check

revocation-check none  //Do not check whether the certificate is revoked

Notice:

1. The RSR10-02 device does not have a clock chip. After power failure, the time will be initialized to 1970-01-01, causing the IPSEC VPN negotiation based on digital certificates to fail. NTP time synchronization must be configured or timeout-check must be configured in the certificate crypto pki trustpoint XX mode. none to turn off time checking.

2. All 3G clients that do not apply for digital certificates online need to configure revocation-check in crypto pki trustpoint XX mode to turn off the CRL check of the device, unless the device can resolve the domain name address of the CA service.

5. Configuration verification

You can view the certificate information named "ruijie" by running show crypto pki certificates ruijie:

Ruijie# show crypto pki certificates ruijie

% CA certificate info: //CA root certificate information

Certificate:

    Data:

Version: 3 (0x2)

Serial Number:

65:c7:3a:80:2a:e8:cc:85:4f:fb:ae:69:48:33:68:5c

Issuer: DC=com, DC=rsc, CN=RSC CA

Validity

Not Before: Dec 29 05:30:00 2010 GMT

Not After : Dec 29 05:39:30 2020 GMT //The validity period of the certificate. If the device time is not within the validity period of the certificate, the certificate cannot be used.

Subject: DC=com, DC=rsc, CN=RSC CA

Associated Trustpoints: ruijie

% Router certificate info: //Router certificate information

Certificate:

    Data:

Version: 3 (0x2)

Serial Number:

61:0e:8b:73:00:00:00:00:00:19

Issuer: DC=com, DC=rsc, CN=RSC CA

Validity

Not Before: May 15 07:55:30 2011 GMT

Not After : May 15 08:05:30 2012 GMT

Subject: C=CN, ST=fujian, L=fuzhou, O=ruijie, OU=tac, CN=test/[email protected]

Associated Trustpoints: ruijie

"appendix"

1. Steps to export root certificate from CA

The .cer file can be opened and viewed through WordPad.

2. Method for customers to obtain the router certificate through request (1) Open: http://202.100.1.11/certsrv/
on the CA certificate server , and click "Apply for a Certificate"

(3) The following page will pop up, click "Advanced Certificate Application"

(4) The following page pops up, click "Use base64-encoded CMC or PKCS #10 file to submit a certificate application, or use base64-encoded PKCS #7 file to renew the certificate application"

(5) The following page pops up, and enter the content of the request string obtained from the router into "Saved Application:", and then click Submit.

Note: When applying for a certificate, you need to copy all the contents from "-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-".

(6) Issue the certificate on the CA

(7) View the issued certificate

(8) The following page will pop up, click "BASE 64 encoding", and then click to download the certificate.

6. Import the certificate
(1) After downloading, the name of the certificate is certnew.cer by default, and then open it with WordPad