Table of contents
Features
".pfx" is the default format for Microsoft CA certificate server certificate export. Our router supports the direct import of ".pfx" format certificates through TFTP, FLASH, or import after converting to ".pem format". The ".pfx" format certificate can be converted to ".pem" format through the "pfx2pem.exe" tool. pfx to pem conversion software, see attachment .
1. Networking requirements
Convert the certificate file in " .pem " format to PEM format and then import it into the router.
2. Network topology
3. Configuration points
1. Confirm whether the router’s system time is correct
2. Convert the “.pfx” format certificate to “.pem” format
3. Import the “.pem” format certificate into the router
4. Configure to ignore certificate validity and time checks (optional)
4. Configuration steps
1. Confirm whether the router’s system time is correct
Ruijie#show clock
05:01:40 UTC Thu, Mar 6, 2003
Note: The certificate involves attributes such as the revocation list and the validity period of the certificate, which are associated with time. Before making the certificate, you need to ensure that the time is synchronized.
If conditions permit, it is recommended to set up NTP.
2. Convert the “ .pfx ” format certificate to “ .pem ” format
(1) Open the "pfx2pem" tool. The source file password here is the password entered when exporting the certificate from IE; the destination file password is the password you currently need to define, which must be entered when importing the certificate to the device.
(2) Click the conversion button and the following picture will pop up:
3. Import the “ .pem ” format certificate into the router
(For the configuration method, please refer to Typical Scenario Description--->Common Function Configuration--->Security--->IPSEC--->CA Digital Certificate--->Offline Import of PEM Format Digital Certificate)
4. Configure to ignore certificate validity and time checks (optional)
crypto pki trustpoint ruijie //Enter the corresponding trustpoint of the certificate
time-check none //Turn off certificate time check
revocation-check none //Do not check whether the certificate is revoked
Notice:
1. The RSR10-02 device does not have a clock chip. After power failure, the time will be initialized to 1970-01-01, causing the IPSEC VPN negotiation based on digital certificates to fail. NTP time synchronization must be configured or timeout-check must be configured in the certificate crypto pki trustpoint XX mode. none to turn off time checking.
2. All 3G clients that do not apply for digital certificates online need to configure revocation-check in crypto pki trustpoint XX mode to turn off the CRL check of the device, unless the device can resolve the domain name address of the CA service.
5. Configuration verification
You can view the certificate information named "ruijie" by running show crypto pki certificates ruijie:
Ruijie#show crypto pki certificates ruijie
% CA certificate info://CA root certificate information
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
65:c7:3a:80:2a:e8:cc:85:4f:fb:ae:69:48:33:68:5c
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: Dec 29 05:30:00 2010 GMT
Not After : Dec 29 05:39:30 2020 GMT //The validity period of the certificate. If the device time is not within the validity period of the certificate, the certificate cannot be used.
Subject: DC=com, DC=rsc, CN=RSC CA
Associated Trustpoints: ruijie
% Router certificate info: //Router certificate information
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0e:8b:73:00:00:00:00:00:19
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: May 15 07:55:30 2011 GMT
Not After : May 15 08:05:30 2012 GMT
Subject: C=CN, ST=fujian, L=fuzhou, O=ruijie, OU=tac, CN=test/[email protected]
Associated Trustpoints: ruijie