PIX 7.21 receive digital certificate from Router - 思科安全

================================================== =====================
R6 is a CA server
================================================== =====================
Router(config)#host r6
r6(config)#ip http server

r6(config)#clock timezone EST -5
r6(config)#cloc
*Jul 4 17:42:36.551: %SYS-6-CLOCKUPDATE: System clock has been updated from 17:42:36 UTC Tue Jul 4 2006 to 12:42:36 EST Tue Jul 4 2006, configured from console by cons
r6(config)#clock summer-time EST recurring
r6(config)#
*Jul 4 17:42:58.271: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:42:58 EST Tue Jul 4 2006 to 13:42:58 EST Tue Jul 4 2006, configured from console by console.
r6(config)#do clock set 13:56:00 Jul 4 2006
r6(config)#
*Jul 4 17:56:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 13:43:31 EST Tue Jul 4 2006 to 13:56:00 EST Tue Jul 4 2006, configured from console by console.
r6(config)#ip domain-name test.com
r6(config)#crypto key gen
r6(config)#crypto key generate rsa ?
general-keys Generate a general purpose RSA key pair for signing and
encryption
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>

r6(config)#crypto key generate rsa general
r6(config)#crypto key generate rsa general-keys ?
exportable Allow the key to be exported
label Provide a label
modulus Provide number of modulus bits on the command line
<cr>

r6(config)#crypto key generate rsa general-keys label ?
WORD RSA keypair label

r6(config)#$generate rsa general-keys label test modulus 1024 exportable
The name for the keys will be: test

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]

Jul 4 17:58:06.403: %SSH-5-ENABLED: SSH 1.99 has been enabled
r6(config)#do sh crypto key mypubkey rsa
% Key pair was generated at: 13:58:06 EST Jul 4 2006
Key name: test
Usage: General Purpose Key
Key is exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00ACB297
38A6E9EB 8D46A7F4 4D769AF0 13C12099 A936B1E8 E6766349 49952984 66B138F2
EEB8B942 C3C3B54C B4AE381C 38B36EA2 93E7D7FA A1DF21CC F6C33F12 D997B439
84565274 7EEE9A3E 7D39428D 6C40D08F 4D8AC6FF ABC99D17 C0D79A91 4E744B8B
117ECB1D A58C3796 287C4358 24CB9C5F C76186E0 7311F46E 7B0D09C3 EF020301 0001
% Key pair was generated at: 13:58:09 EST Jul 4 2006
Key name: test.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AB5685 02B6560F
5917F04B 069C953D 0FB1928D D32AFC02 A23F1F87 3CA18D85 CF1D1511 9C4AEC8E
5D89787C C5E00693 60CCDC7F 6FE11065 E1956652 4838DA98 C65971AD 96E1A71E
245C0A06 18D28D2F FCB2635A D8315453 00757361 D9A7F883 AD020301 0001
r6(config)# crypto pki ?
authenticate Get the CA certificate
certificate Actions on certificates
crl Actions on certificate revocation lists
enroll Request a certificate from a CA
export Export certificate or PKCS12 file
import Import certificate or PKCS12 file
profile Define a certificate profile
server Enable IOS Certificate server
token Configure cryptographic token
trustpoint Define a CA trustpoint

r6(config)# crypto pki server ?
WORD Certificate Server Name

r6(config)# crypto pki server test
r6(cs-server)#?
CA Server configuration commands:
cdp-url CRL Distribution Point to be included in the issued certs
database Certificate Server database config parameters
default Set a command to its defaults
exit Exit from Certificate Server entry mode
grant Certificate granting options
issuer-name Issuer name
lifetime Lifetime parameters
mode Mode
no Negate a command or set its defaults
shutdown Shutdown the Certificate Server

r6(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Exporting Certificate Server signing certificate and keys...

r6(cs-server)#exit
r6(config)#int e0/0
r6(config-if)#ip add 172.29.6.101 255.255.255.0
r6(config-if)#no sh
r6(config-if)#
Jul 4 18:00:03.531: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
Jul 4 18:00:04.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
================================================== ============
PIX will get the digital certificate from CA (R6)
================================================== ============
pixfirewall# conf t

pixfirewall(config)# hostname pix
pix(config)# domain-name test.com
pix(config)# clock timezone EST -5
pix(config)# clock summer-time EST recurring
pix(config)# clock set 13:46:00 4 jul 2006
pix(config)# int e0
pix(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pix(config-if)# ip addr 172.29.6.1 255.255.255.0
pix(config-if)# no sh
pix(config-if)# exit
pix(config)# failover active
pix(config)# crypto key generate rsa ?

configure mode commands/options:
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
noconfirm Specify this keyword to suppress all interactive prompting.
usage-keys Generate seperate RSA key pairs for signing and encryption
<cr>
pix(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
pix(config)# sh crypto key mypubkey rsa
Key pair was generated at: 13:48:13 EST Jul 4 2006
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b9eb0b
1b9b24c2 3d05206e 25f7444c 9d8c4de8 8f80b8e2 472bd273 c072c46b 4ac413a8
1a336d94 4d10453d 44bbdb46 3e3e88ae fb784741 a01e1fe1 674cd522 146c44aa
b933bdef b8d5660b 31f2fa3d 21195e60 404ed91c 8d66dae6 1f6811d3 a76bb3d1
35bb17c0 f4989f47 98ab01e1 34218e1d 63a1e834 f772119e 3660fe83 2d020301 0001
pix(config)# crypto ca trustpoint ca-srv
pix(config-ca-trustpoint)# enrollment url http://172.29.6.101
pix(config-ca-trustpoint)# exit

pix(config)# crypto ca authenticate ca-srv

INFO: Certificate has the following attributes:
Fingerprint: c5caade4 637a290e 9154d160 79b23e6f
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
pix(config)# crypto ca enroll ca-srv
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: 1234567
Re-enter password: 1234567

% The fully-qualified domain name in the certificate will be: pix.test.com

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 480430233

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority

================================================== ================
Manual grant from CA (R6)
================================================== ================
r6#crypto pki server test info ?
crl Certificate Revocation List
requests Enrollment Requests

r6#crypto pki server test info request
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending 195D8A88FD417D6325CEA83F02E29589 serialNumber=480430233+hostname=pix.test.com

r6#crypto pki server test grant 1
================================================== ================
pix(config)# The certificate has been granted by CA!

pix(config)# sh cry ca cert
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=test
Subject Name:
serialNumber=480430233+hostname=pix.test.com
Validity Date:
start date: 14:11:59 EST Jul 4 2006
end date: 14:11:59 EST Jul 4 2007
Associated Trustpoints: ca-srv

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
cn=test
Subject Name:
cn=test
Validity Date:
start date: 13:59:29 EST Jul 4 2006
end date: 13:59:29 EST Jul 3 2009
Associated Trustpoints: ca-srv