Table of contents
Features
“.pem” is a common format for digital certificates, which can be directly imported into the router offline. At the same time, the "pfx2pem.exe" tool can also be used to convert the generated ".pfx" format certificate to ".pem" format, and then import it into the router; for the pfx to pem conversion software, see the attachment .
1. Networking requirements
Import the certificate file in " .pem " format into the router.
2. Network topology
3. Configuration points
1. Confirm whether the router’s system time is correct
2. Import the CA root certificate
3. Import the router private key
4. Import the router certificate
5. Configure to ignore certificate validity and time checks (optional)
Note: After using the WordPad program to open the certificate file, you can see the router private key, router certificate, and CA root certificate. You can distinguish these certificate information through the following methods:
(1) Router private key: From " -----BEGIN RSA PRIVATE KEY----- " to " -----END RSA PRIVATE KEY----- " , the content in between is the router private key. Key information, when importing the certificate, paste the router private key information (including " -----BEGIN RSA PRIVATE KEY----- " and " -----END RSA PRIVATE KEY----- " ) to the router middle.
(2) Router certificate: Pay attention to the content after the " subject " and " issuer " fields. If the content of the " subject " and " issuer " fields are different, the subsequent " -----BEGIN CERTIFICATE----- " and " -----END CERTIFICATE----- " is the router certificate information. When importing the certificate, paste the router certificate information (including " -----BEGIN CERTIFICATE----- " and " -----END CERTIFICATE----- " ) into the router.
(3) CA root certificate: Pay attention to the content after the " subject " and " issuer " fields. If the contents of the " subject " and " issuer " fields are exactly the same, then the subsequent " -----BEGIN CERTIFICATE----- " and " -----END CERTIFICATE----- " is the CA root certificate information. When importing the certificate, paste the CA root certificate information (including " -----BEGIN CERTIFICATE----- " and " -----END CERTIFICATE----- " ) into the router.
4. Configuration steps
1. Confirm whether the router’s system time is correct
Ruijie#show clock
05:01:40 UTC Thu, Mar 6, 2003
Note: The certificate involves attributes such as the revocation list and the validity period of the certificate, which are associated with time. Before making the certificate, you need to ensure that the time is synchronized.
If conditions permit, it is recommended to set up NTP.
2. Import the CA root certificate
3. Import the router private key
4. Import the router certificate
The specific steps are as follows:
Ruijie(config)# crypto pki import ruijie pem terminal 123456 //Import the certificate through the crypto pki import command, and specify the trustpoint name as ruijie and the PEM certificate password as 123456.
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIQZcc6gCrozIVP+65pSDNoXDANBgkqhkiG9w0BAQUFADA7
MRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYD
VQQDEwZSU0MgQ0EwHhcNMTAxMjI5MDUzMDAwWhcNMjAxMjI5MDUzOTMwWjA7MRMw
EQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYDVQQD
EwZSU0MgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDncaGha6dq
NJbABhyV/v9w+1XZQceI1XQyOSf8+33x/LeA4f49e39/1oWzI29chHRBvzS0vyvx
4QY0Z/4Ecjh17QXHAyOVWatc/fTRLfEWn1LU+PsQA44tqs7RbxuzVQpzzovQmJw9
VyjC13HUSdquL+kqVe9DqMKKzUaTctQ16YePDWfCUA0XKnxd/rdYSrva7U6+papx
v0AdWmLeNNAv36wlar4n12LTppcXo0/oxN2eVfK6TBkT8W47NXRegYPGFAcTR/BF
QK8eMFQLiwi1CffsNoE1NpmhDUtYwRQ3m/JsY0tgyKFgMMibkbqBslq33p6zXvUE
h41qned5Azg1AgMBAAGjgbEwga4wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFIJiMJD5jU//bnOzNzd7Q9JffyPjMF0GA1UdHwRWMFQwUqBQ
oE6GJWh0dHA6Ly9yc2MtY2EvQ2VydEVucm9sbC9SU0MlMjBDQS5jcmyGJWZpbGU6
Ly9cXFJTQy1DQVxDZXJ0RW5yb2xsXFJTQyBDQS5jcmwwEAYJKwYBBAGCNxUBBAMC
AQAwDQYJKoZIhvcNAQEFBQADggEBABazbsPV0FXCpsRx5xk/ErOyzXf1cbE4eqWL
OKes0OoWA6y1Fg9zvxWX7z5SorPByJqC9Ci+ej0fmxaUqMqtd3Dx+YeFLFryszHu
YdcaNrU6YAbUHL/UvNcgwM8DLm53AagSZoV3qV4g6jra5osd7/MtObuFclgH09L2
0J8oclBJZOODk4GWsQkyhgTEAiA9WXwC470GiApXTqeQKO4Zo6io2GtVj571UIt8
QaVt237eiZtYQoadaQh6maH1wM87RXWxB+KwLOzk8TqxAy1ke0yASeG8Z23s3/pW
rlq0rdOCEhpoXggAttVRcfGEf/rnVHJr/z44HjeAeMawVqvxWjA=
-----END CERTIFICATE-----
quit //Paste the CA root certificate information above and exit through quit
Certificate has the following attributes:
MD5 fingerprint: F9637FD9 3D5F5C33 D6E067C3 5F7952CC
SHA1 fingerprint: FC07C4BE 8E769C57 C4182A80 2904D9F1 A0DE80D5
%% Do you accept this certificate?[yes/no]: yes //Enter yes to accept the CA root certificate
% CA Certificate successfully readed
%% All ca certificate imported?[yes/no]: yes //If a multi-level root certificate exists, enter no to continue importing the secondary CA root certificate.
% Enter PEM-formatted encrypted private key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,27BB225D98832F46
CjJAF3LOLuKyuhgFTJG2obem5X7Yhy0c6YDP+rKKxATUIL5iZvYw8EcQcPO3+wYr
syIN/5LSsvJE0hVttnVF9mlcbMQhI5y39ZmYc1saoNKu8HXA64CiMbzfadsnp+37
shcHf3xnBJ2b8zLZSbj8hdw5qN2d9N4vlQE3pXGuHZxPAJ9rJ3hnA5PKMbFzWq/T
uxW+w0S2s89Q4Yh8X/BBCMLOU1hyrubluDGq2Hct+jBUQIIQFiKEi4kh2m6Jn15h
Un6zmKzb3dp9fNGSA8Z8ZTWHbZXxBEckfBaLlasxR+qLlP1SYZg5D8fLGxtt1olZ
mhE17CAsychvXqJ/izKcqKaHl0W75jbJBseSXyHqOSSN9ZohbBWX/RtBe3tfJnpy
CTwuwSi+XRAYqmHdTZZFi3HWPhuPI2hFntoldUcFDJnPhNfqECy36V/uhY5yQS39
/n4ZE2TJRDLpYA9W4Wtu6NyhsoSLvB2Se5TktiyjRQ/WNJ2eRSOMigDCoRkjnrkl
S3qLoPfLRhTZM4lzTvOu9lcwbDT5rxAQbDdIDgwZ7VlZcsrLqRt3Az0BQVYrk48w
5Q1pw4We89tGUmfWxLhawyTnh3OWesuQs+eGMt+aZ1jv1cOBtLXu5F4lQXhbWXxn
RVQUxmjd3OMJY792p3T0bEWGj/A+4pqoLCFc8BYNMqnXVxkFx1rKYk9mTiSH00q5
IKjDb037ZqWtfJp5BawE4tQji+P0aQBOu4HeLTmC3vDffDdSOa563+w35jPgGdRd
jfCs5j4rye9TjyxPOzJlL8dOB/LseFcQKylCRY2fIuFMOIRdacyrVw==
-----END RSA PRIVATE KEY-----
quit //Paste the router private key information above and exit through quit
% RSA private key successfully imported.
% Enter PEM-formatted certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIKYQ6LcwAAAAAAAGTANBgkqhkiG9w0BAQUFADA7MRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYDVQQDEwZS
U0MgQ0EwHhcNMTEwNTE1MDc1NTMwWhcNMTIwNTE1MDgwNTMwWjCBgDELMAkGA1UE
BhMCQ04xDzANBgNVBAgTBmZ1amlhbjEPMA0GA1UEBxMGZnV6aG91MQ8wDQYDVQQK
EwZydWlqaWUxDDAKBgNVBAsTA3RhYzENMAsGA1UEAxMEdGVzdDEhMB8GCSqGSIb3
DQEJARYSdGVzdEBydWlqaWUuY29tLmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCwr2+43hE0JFNMEPFVYGoQd59Izz7b1/IiyiaADmgVbvVR8iD8NEEV84HZ
y1pCuGNNuUzC3KYaO9Cu8/rny2Kh2Nj7+7URDC7VmGxfjWtZsNIhMTFpypADfsSt
X15PUUjK99S47ep5qF+p9MK4SS586CMWbjn3+vDmOrjIoIFJCwIDAQABo4IBkzCC
AY8wDgYDVR0PAQH/BAQDAgTwMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwIC
AgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4E
FgQUkZzrJ8oXlfZDgX3/DnUzzZsOalEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYD
VR0jBBgwFoAUgmIwkPmNT/9uc7M3N3tD0l9/I+MwXQYDVR0fBFYwVDBSoFCgToYl
aHR0cDovL3JzYy1jYS9DZXJ0RW5yb2xsL1JTQyUyMENBLmNybIYlZmlsZTovL1xc
UlNDLUNBXENlcnRFbnJvbGxcUlNDIENBLmNybDCBggYIKwYBBQUHAQEEdjB0MDgG
CCsGAQUFBzAChixodHRwOi8vcnNjLWNhL0NlcnRFbnJvbGwvUlNDLUNBX1JTQyUy
MENBLmNydDA4BggrBgEFBQcwAoYsZmlsZTovL1xcUlNDLUNBXENlcnRFbnJvbGxc
UlNDLUNBX1JTQyBDQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBABhU7nMrGyB9mW5J
C+qcpIrF/wnuXJI0o9HHVD1BXghuEOoc+DAPd1F2BNs2t3j8GPAUTsK4uzhODaN2
gn2yV3kLrlJ0UXTBmC7rPoGQPPoB17j01S6s3Ugb5SrEUxQPG0Sr4XgIJHfZbi+e
JWpq0ol3jfCyClV7Zqvoa0od+kvMENPzoKNsv/gLVYRR+YH0RraPvqCG38S9B+K2
42Mxn+NPDUHje+jJv/XhMcsm45UbL8TctUDCJ6OqoyZNK0Lz/y3vDxMMu8AZ09rU
rEFZ2orHgsev6mwySjssBg681Bq6xh1jHZ9Wh4PS4dGOQCtx+VIdY6qY50w5Ve63
Zhd/09E=
-----END CERTIFICATE-----
quit //Paste the router certificate information above and exit through quit
% Router Certificate successfully imported //All certificates have been imported.
5. Configure to ignore certificate validity and time checks (optional)
crypto pki trustpoint ruijie //Enter the corresponding trustpoint of the certificate
time-check none //Turn off certificate time check
revocation-check none //Do not check whether the certificate is revoked
Notice:
1. The RSR10-02 device does not have a clock chip. After power failure, the time will be initialized to 1970-01-01, causing the IPSEC VPN negotiation based on digital certificates to fail. NTP time synchronization must be configured or timeout-check must be configured in the certificate crypto pki trustpoint XX mode. none to turn off time checking.
2. All 3G clients that do not apply for digital certificates online need to configure revocation-check in crypto pki trustpoint XX mode to turn off the CRL check of the device, unless the device can resolve the domain name address of the CA service.
5. Configuration verification
You can view the certificate information named "ruijie" by running show crypto pki certificates ruijie:
Ruijie#show crypto pki certificates ruijie
% CA certificate info://CA root certificate information
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
65:c7:3a:80:2a:e8:cc:85:4f:fb:ae:69:48:33:68:5c
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: Dec 29 05:30:00 2010 GMT
Not After : Dec 29 05:39:30 2020 GMT //The validity period of the certificate. If the device time is not within the validity period of the certificate, the certificate cannot be used.
Subject: DC=com, DC=rsc, CN=RSC CA
Associated Trustpoints: ruijie
% Router certificate info: //Router certificate information
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0e:8b:73:00:00:00:00:00:19
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: May 15 07:55:30 2011 GMT
Not After : May 15 08:05:30 2012 GMT
Subject: C=CN, ST=fujian, L=fuzhou, O=ruijie, OU=tac, CN=test/[email protected]
Associated Trustpoints: ruijie