目录
功能介绍
路由器通过离线申请的方式获取到数字证书,采用该种方法,路由器无需与CA服务器进行通信。
获取步骤
1)路由器通过注册根证书(步骤4)生成CERTIFICATE REQUEST请求码
2)将REQUEST请求码返回给客户,客户通过该请求码,生成路由器证书。
3)得到路由器证书后,加上客户再提供的CA根证书后,完成证书导入工作
一、组网需求
路由器通过离线申请的方式获取到数字证书。
二、组网拓扑
无
三、配置要点
1、确认路由器的系统时间是否正确
2、配置trustpoint定义一个证书授权
3、注册根证书,生成Request请求码,提交给客户,客户提供路由器证书。
4、将客户提供的路由器证书,以及CA证书(无需我们提供任何信息,客户随时自行导出)导入到路由器
5、配置忽略证书有效性和时间检查(可选)
四、配置步骤
1、确认路由器的系统时间是否正确
Ruijie#show clock05:01:40 UTC Thu, Mar 6, 2003注意:证书涉及到吊销列表,证书的有效期等属性,和时间关联,做证书之前,需要保证时间同步。条件允许的情况下,建议设置NTP。
2、配置trustpoint定义一个证书授权
Internet(config)# crypto pki trustpoint ruijie //名称为ruijieInternet(ca-trustpoint)#revocation-check none //不检查吊销列表Internet(ca-trustpoint)# enrollment offline //定义离线申请证书的方法You are about to be asked to enter you Distinguished Name(DN) information that will be incorporated intoyour certificate request. There are quite a few fields but you can leave some blank //设置离线证书的DN信息Common Name (eg, YOUR name) []:tac //您的姓名与姓氏Organizational Unit Name (eg, section) []:tac //您的组织单位名称Organization Name (eg, company) []:ruijie //您的公司Locality Name (eg, city) []Fuzhou //您所在的城市State or Province Name (full name) []:Fujian //您所在的省份Country Name (2 letter code) [CN]:CN //您所在的国家代码The subject name is: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CNIs it correct[yes/no]:yes //确认DN信 息,如上这些[]选项可随意设置Internet(ca-trustpoint)#
3、注册根证书,生成Request请求码,提交给客户,客户提供路由器证书。
Internet(config) #crypto pki enroll ruijieChoose the size of the key modulus in the range of 384 to 2048 for your General Purpose Keys.Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[1024]: //此处可回车%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3-----BEGIN CERTIFICATE REQUEST-----MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UEChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEsRU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFxt4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTtOY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJr55w-----END CERTIFICATE REQUEST-----% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself.//此处回车,该步骤只是为了获取到上述红色部分的request的请求码。回车后会提示证书导入失败。没有关系。CA certificate decode fail.CA certificate import fail.enroll offline failed.
4、将客户提供的路由器证书,以及CA证书(无需我们提供任何信息,客户随时自行导出)导入到路由器
Internet(config))# crypto pki enroll ruijierouter already has RSA key pair,%% Do you want to generate a new private key?[yes/no]:no%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3-----BEGIN CERTIFICATE REQUEST-----MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UEChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEsRU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFxt4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTtOY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJr55w-----END CERTIFICATE REQUEST-----% Enter PEM-formatted CA certificate.% End with a blank line or "quit" on a line by itself. //粘贴客户提供的CA根证书-----BEGIN CERTIFICATE-----MIIDTzCCAjegAwIBAgIQN55wTyRR+5FLPBhQ7hYWDDANBgkqhkiG9w0BAQUFADA6MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxMEQ05DQzAeFw0xNTA0MjAwMTUxMTFaFw0yNTA0MjAwMjAxMTBaMDoxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbmNjMQ0wCwYDVQQDEwRDTkNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCjE7U9YVzco3Gm3nj1NiyqCFiUcj9eYMTV+Ma5SgcRbkZkQxBl1/OfnnJwrB3tolieWXjFOdVNch4Z0fSMzgFqjv0q4VXa9H7R+LoRKUYB07beQ33YdVu1AobpgpLFadzkg5gRYcvm/xa0Z7LIvAZ3yR6zY4HwaevCUrdxn5PeUg77fVg2COWh1Esqw4sBxXhrCfFCWGmhYb8n1q4WiHqjk/UB4C0o6bOrvJ93q/5RQqsj95xtLb1AXmbUT8DV8Roa9mm5YJT/bBgvNNQijApuoRXK5pLIimU1Ie89vK7LlaetuePNsXr+mW7Ya9EsVRcbYJKKQ47vGr9jIwrSe5QIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU/svlla2w9YaRIxYCw+JTCMRKuhEwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAHhFt+r4gTjZ7L1dxqDwnBOaGAEsM/LoimjhNVG7lgIbPHO7cMDbFj56yngkKSI/si8Y6TBwmPo9IhTHvNUh66pxEhxzs/8kPOJilFqqxZLmmYInT1TJQoDWBr7gmsec3lmKL+2s8AgGnHa+PYWrodT+ZWCHLe7gZDjyjYRLHSqmSJHp5QvRUg2DziXhqmoGrIxbXpOSynJSdXTTXHByj17dv6LRY09/6rxx/UyiPEO3q5PrQ3xPluBfNnaTGpEVAK+i64TDVNPuM9y2ULRWRP/mWACw7y8uSv0fpr7QHkNaxXcbzuUvWmWEGkuKDBf45Qg5a3Gvr+Ua++O935lDzOU=-----END CERTIFICATE-----quit //输入quitCertificate has the following attributes:MD5 fingerprint: 90AD60A5 DFEA40D0 1F97E9BD 6CA8589FSHA1 fingerprint: 6848FBC4 CF53FA89 BE239913 5F705F2E 239A3850%% Do you accept this certificate?[yes/no]:y% CA Certificate successfully readed%% All ca certificate imported?[yes/no]: y% Enter PEM-formatted certificate. //提示开始粘贴客户提供的路由器证书% End with a blank line or "quit" on a line by itself.- ----BEGIN CERTIFICATE-----MIIDkTCCAnmgAwIBAgIKI5QMNwAAAAACkzANBgkqhkiG9w0BAQUFADA6MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxMEQ05DQzAeFw0xNTExMDMwNzM5NDlaFw0xNjExMDMwNzQ5NDlaMFsxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQwwCgYDVQQKEwNhYmMxDDAKBgNVBAsTA2FiYzEMMAoGA1UEAxMDYWJjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuo1ySdhYkgslH+iu1dSXtNKenEKgJ90qPzPKb6jsc35RsmO9Pj/H8zj9WAnoiAYuugyHcyAqQ8EguzV9q+bCebB6pCglpRl1sEGumXj5WJUUPcgxZNyuOCq561TX3CR/HyEO05xWKQcSfjFZNOJG5DlDRCWeuwT+oVYKGLRNuNwIDAQABo4H7MIH4MB0GA1UdDgQWBBTVuwmuQSp8yd77A7h22q7lc65F+jAfBgNVHSMEGDAWgBT+y+WVrbD1hpEjFgLD4lMIxEq6ETA7BgNVHR8ENDAyMDCgLqAshipmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvQ05DQy5jcmwwVgYIKwYBBQUHAQEESjBIMEYGCCsGAQUFBzAChjpmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvV0lOLUFRSzFDN0czMTlWX0NOQ0MuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQADggEBABLTyq2tAkpJMsgJFrfkh2QBgA6DCsFN5kDk4Fps15TrGfQSZf+xgKSBRNNrSQP0Y/X/Gke8rEugv55QC/LsuWrKQHKadfptU4J4tvsc2WhIgLPzdvUKZqqeB4ySbAjJTQ2FSXvgDvyDdlQr68URrT7ji5ghm+596Dz+xLtIfX7b55gXSfZLHDhI1ISojOtgL4D2JWFUkv1CKvHJN1YAj8UfzmKnQQDcNS1eFRQ1GddwfuD6pJ0KdSEPYG4iBCFAmqc/6YByFOVgx+Jls2Jrrt9/MpQ3VKhBgOnCjgBiaIDagZGR3AVZBZ9fXvfiCcy6DOm87k1ZvvV56fbspEjQgHM=-----END CERTIFICATE-----quit //输入quit 退出。% Router Certificate successfully imported
5、配置忽略证书有效性和时间检查(可选)
crypto pki trustpoint ruijie //进入证书的相应trustpointtime-check none //关闭证书的时间检查revocation-check none //不检查证书是否被吊销注意:1、RSR10-02设备没有时钟芯片,断电后时间会初始化为1970-01-01导致基于数字证书的IPSEC VPN协商失败,必须配置NTP时间同步或在证书crypto pki trustpoint XX模式下配置timeout-check none来关闭时间检查。2、所有非在线申请数字证书的3G客户端,需要在crypto pki trustpoint XX模式下配置revocation-check来关闭设备的CRL检查,除非设备能解析CA服务的域名地址。
五、配置验证
通过show crypto pki certificates ruijie可以查看名称为“ruijie”的证书信息:
Ruijie#
show crypto pki certificates ruijie
% CA certificate info:
//CA根证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
65:c7:3a:80:2a:e8:cc:85:4f:fb:ae:69:48:33:68:5c
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: Dec 29 05:30:00 2010 GMT
Not After : Dec 29 05:39:30 2020 GMT
//证书的有效期,如果设备时间不在证书有效期内则证书无法使用
Subject: DC=com, DC=rsc, CN=RSC CA
Associated Trustpoints: ruijie
% Router certificate info:
//路由器证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0e:8b:73:00:00:00:00:00:19
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: May 15 07:55:30 2011 GMT
Not After : May 15 08:05:30 2012 GMT
Subject: C=CN, ST=fujian, L=fuzhou, O=ruijie, OU=tac, CN=test/[email protected]
Associated Trustpoints: ruijie
《附录》
1、从CA导出根证书步骤
该.cer文件,可以通过写字板打开查看。
2、客户通过request获取路由器证书的方法
(1)在CA证书服务器上打开:http://202.100.1.11/certsrv/,并点击“申请一个证书”
(3)弹出如下页面,点击“高级证书申请”
(4)弹出如下页面,点击“使用 base64 编码的 CMC 或 PKCS #10 文件提交 一个证书申请,或使用 base64 编码的 PKCS #7 文件续订证书申请”
(5)弹出如下页面,并将从路由器获取的request串的内容输入到“保存的申请:”中,然后点击提交。
注意:证书申请的时候需要拷贝从“-----BEGIN CERTIFICATE REQUEST-----到-----END CERTIFICATE REQUEST-”的全部内容。
(6)在CA上颁发证书
(7)查看颁发后的证书
(8)弹出如下页面,点击“BASE 64编码”,然后点击下载证书。
6、导入证书
(1)下载完毕后,默认情况下该证书的名字为certnew.cer,然后用写字板打开