Table of contents
Features
Get steps
1. Networking requirements
2. Network topology
3. Configuration points
4. Configuration steps
Ruijie#show clock05:01:40 UTC Thu, Mar 6, 2003Note: The certificate involves attributes such as the revocation list and the validity period of the certificate, which are associated with time. Before making the certificate, you need to ensure that the time is synchronized.If conditions permit, it is recommended to set up NTP.
Internet(config)# crypto pki trustpoint ruijie //The name is ruijieInternet(ca-trustpoint)#revocation-check none //Do not check the revocation listInternet(ca-trustpoint)# enrollment offline //Define the method to apply for a certificate offlineYou are about to be asked to enter you Distinguished Name(DN) information that will be incorporated intoyour certificate request. There are quite a few fields but you can leave some blank //Set the DN information of the offline certificateCommon Name (eg, YOUR name) []:tac //Your first and last nameOrganizational Unit Name (eg, section) []:tac //Your organizational unit nameOrganization Name (eg, company) []:ruijie //Your companyLocality Name (eg, city) []Fuzhou //Your cityState or Province Name (full name) []: Fujian //Your provinceCountry Name (2 letter code) [CN]:CN //Your country codeThe subject name is: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CNIs it correct[yes/no]:yes //Confirm the DN information . The [] options above can be set at will.Internet(ca-trustpoint)#
Internet(config) #crypto pki enroll ruijieChoose the size of the key modulus in the range of 384 to 2048 for your General Purpose Keys.Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[1024]: //You can press Enter here%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3-----BEGIN CERTIFICATE REQUEST-----MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UEChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEsRU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFxt4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTtOY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJr55w-----END CERTIFICATE REQUEST-----% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself.//Press Enter here. This step is just to obtain the request code of the request in the red part above. After pressing Enter, it will prompt that the certificate import failed. It doesn't matter.CA certificate decode fail.CA certificate import fail.enroll offline failed.
Internet(config))# crypto pki enroll ruijierouter already has RSA key pair,%% Do you want to generate a new private key?[yes/no]:no%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3-----BEGIN CERTIFICATE REQUEST-----MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UEChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEsRU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFxt4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTtOY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJr55w-----END CERTIFICATE REQUEST-----% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself. //Paste the CA root certificate provided by the customer-----BEGIN CERTIFICATE-----MIIDTzCCAjegAwIBAgIQN55wTyRR+5FLPBhQ7hYWDDANBgkqhkiG9w0BAQUFADA6MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxMEQ05DQzAeFw0xNTA0MjAwMTUxMTFaFw0yNTA0MjAwMjAxMTBaMDoxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbmNjMQ0wCwYDVQQDEwRDTkNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCjE7U9YVzco3Gm3nj1NiyqCFiUcj9eYMTV+Ma5SgcRbkZkQxBl1/OfnnJwrB3tolieWXjFOdVNch4Z0fSMzgFqjv0q4VXa9H7R+LoRKUYB07beQ33YdVu1AobpgpLFadzkg5gRYcvm/xa0Z7LIvAZ3yR6zY4HwaevCUrdxn5PeUg77fVg2COWh1Esqw4sBxXhrCfFCWGmhYb8n1q4WiHqjk/UB4C0o6bOrvJ93q/5RQqsj95xtLb1AXmbUT8DV8Roa9mm5YJT/bBgvNNQijApuoRXK5pLIimU1Ie89vK7LlaetuePNsXr+mW7Ya9EsVRcbYJKKQ47vGr9jIwrSe5QIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU/svlla2w9YaRIxYCw+JTCMRKuhEwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAHhFt+r4gTjZ7L1dxqDwnBOaGAEsM/LoimjhNVG7lgIbPHO7cMDbFj56yngkKSI/si8Y6TBwmPo9IhTHvNUh66pxEhxzs/8kPOJilFqqxZLmmYInT1TJQoDWBr7gmsec3lmKL+2s8AgGnHa+PYWrodT+ZWCHLe7gZDjyjYRLHSqmSJHp5QvRUg2DziXhqmoGrIxbXpOSynJSdXTTXHByj17dv6LRY09/6rxx/UyiPEO3q5PrQ3xPluBfNnaTGpEVAK+i64TDVNPuM9y2ULRWRP/mWACw7y8uSv0fpr7QHkNaxXcbzuUvWmWEGkuKDBf45Qg5a3Gvr+Ua++O935lDzOU=-----END CERTIFICATE-----quit //Enter quitCertificate has the following attributes:MD5 fingerprint: 90AD60A5 DFEA40D0 1F97E9BD 6CA8589FSHA1 fingerprint: 6848FBC4 CF53FA89 BE239913 5F705F2E 239A3850%% Do you accept this certificate?[yes/no]:y% CA Certificate successfully readed%% All ca certificate imported?[yes/no]: y% Enter PEM-formatted certificate. //Prompt to start pasting the router certificate provided by the customer% End with a blank line or "quit" on a line by itself.- ----BEGIN CERTIFICATE-----MIIDkTCCAnmgAwIBAgIKI5QMNwAAAAACkzANBgkqhkiG9w0BAQUFADA6MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxMEQ05DQzAeFw0xNTExMDMwNzM5NDlaFw0xNjExMDMwNzQ5NDlaMFsxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQwwCgYDVQQKEwNhYmMxDDAKBgNVBAsTA2FiYzEMMAoGA1UEAxMDYWJjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuo1ySdhYkgslH+iu1dSXtNKenEKgJ90qPzPKb6jsc35RsmO9Pj/H8zj9WAnoiAYuugyHcyAqQ8EguzV9q+bCebB6pCglpRl1sEGumXj5WJUUPcgxZNyuOCq561TX3CR/HyEO05xWKQcSfjFZNOJG5DlDRCWeuwT+oVYKGLRNuNwIDAQABo4H7MIH4MB0GA1UdDgQWBBTVuwmuQSp8yd77A7h22q7lc65F+jAfBgNVHSMEGDAWgBT+y+WVrbD1hpEjFgLD4lMIxEq6ETA7BgNVHR8ENDAyMDCgLqAshipmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvQ05DQy5jcmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvV0lOLUFRSzFDN0czMTlWX0NOQ0MuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQADggEBABLTyq2tAkpJMsgJFrfkh2QBgA6DCsFN5kDk4Fps15TrGfQSZf+xgKSBRNNrSQP0Y/X/Gke8rEugv55QC/LsuWrKQHKadfptU4J4tvsc2WhIgLPzdvUKZqqeB4ySbAjJTQ2FSXvgDvyDdlQr68URrT7ji5ghm+596Dz+xLtIfX7b55gXSfZLHDhI1ISojOtgL4D2JWFUkv1CKvHJN1YAj8UfzmKnQQDcNS1eFRQ1GddwfuD6pJ0KdSEPYG4iBCFAmqc/6YByFOVgx+Jls2Jrrt9/MpQ3VKhBgOnCjgBiaIDagZGR3AVZBZ9fXvfiCcy6DOm87k1ZvvV56fbspEjQgHM=-----END CERTIFICATE-----quit //Enter quit to exit.% Router Certificate successfully imported
crypto pki trustpoint ruijie //Enter the corresponding trustpoint of the certificatetime-check none //Turn off certificate time checkrevocation-check none //Do not check whether the certificate is revokedNotice:1. The RSR10-02 device does not have a clock chip. After power failure, the time will be initialized to 1970-01-01, causing the IPSEC VPN negotiation based on digital certificates to fail. NTP time synchronization must be configured or timeout-check must be configured in the certificate crypto pki trustpoint XX mode. none to turn off time checking.2. All 3G clients that do not apply for digital certificates online need to configure revocation-check in crypto pki trustpoint XX mode to turn off the CRL check of the device, unless the device can resolve the domain name address of the CA service.
5. Configuration verification
"appendix"
1. Steps to export root certificate from CA
The .cer file can be opened and viewed through WordPad.
2. Method for customers to obtain the router certificate through request (1) Open: http://202.100.1.11/certsrv/
on the CA certificate server , and click "Apply for a Certificate"
(3) The following page will pop up, click "Advanced Certificate Application"
(4) The following page pops up, click "Use base64-encoded CMC or PKCS #10 file to submit a certificate application, or use base64-encoded PKCS #7 file to renew the certificate application"
Note: When applying for a certificate, you need to copy all the contents from "-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-".
(6) Issue the certificate on the CA
(7) View the issued certificate
6. Import the certificate
(1) After downloading, the name of the certificate is certnew.cer by default, and then open it with WordPad