分类: 系统运维
2008-05-20 16:22:21
hostname myrouter
ip domain-name test.com
crypto key generate rsa
!---生成密钥对,建议密钥长度不低于1024位,可用sh cry key mypubkey rsa来检查所生成的公钥,私钥出于安全的目的是不可查看的
crypto ca identity myca
enrollment mode ra
en
rollment url
crl optional
!---enrollment mode ra定义CA登记的方式采用RA(Registration Authority)方式,如采用Windows 2000做CA中心,应采用RA登记方式
!---crl optional定义即使在CRL(Certificate Revocation List)不可用时也能接收对方的证书
!---enrollment url 中心的URL地址。
这里我说明一下,因为Cisco使用了他专有的SCEP(Simple Certificate Enrollment Protocol)协议来和CA中心联系获取根证书。WIN2K的CA服务缺省没有对SCEP的支持,需要WIN2K resource kit中的一个附加工具Cepsetup.exe,安装完后才能在IE中对进行引用。
crypt ca authenticate myca
!---获取CA中心的证书,大概的提示如下:
Certificate has the following attributes:
Fingerprint: 1FCDF2C8 2DEDA6AC 4819D4C4 B4CFF2F5
% Do you accept this certificate? [yes/no]: y
!---可通过访问牡纳矸萦行?浴?/a>
!---在获取到CA中心的证书后,可用show cry ca cert来检查CA Certificate
...
CA Certificate
Status: Available
Certificate Serial Number: 4C38D9568E6C16874378C4D466F3DDB7
Key Usage: Signature
...
crypt ca enroll myca
!---发送公钥给CA中心并获取路由器自身的证书,大概的提示如下:
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re?enter password:
% The subject name in the certificate will be: myrouter.test.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The show crypto ca certificate command will also show the fingerprint.
myrouter(config)# Fingerprint: A1D6C28B 6575AD08 F0B656D4 7161F76F
3d09h: CRYPTO_PKI: status = 102: certificate request pending
!---注意上面的Password部分,我就在这里折腾了半天,这个口令叫做enrollment challenge password,是由CA提供的,在这里你又需要在IE中键入将这个challenge password粘贴复制到口令提示处,需要注意的是,这个口令是一个OTP(One Time Password)口令,有效期为60分钟。
申请完后再次show cry ca cert,可看到Certificat的状态为Pending:
Certificate
Status: Pending
在CA中心的Pending Requests处可找到这个待申请的证书,然后选择Issue发布此证书。在路由器上过一段时间后会收到类似如下的提示信息:
3d09h: %CRYPTO?6?CERTRET: Certificate received from Certificate Authority
此时再show cry ca cert,可看到Certificat的状态为Available:
Certificate
Status: Available
在配置过程中需要注意的几个东西有:
1、CA认证对系统时间很敏感,有条件的话尽量在CA中心和CA客户端上使用NTP协议进行时间同步
2、CA认证的大概配置步骤为:
* 定义CA中心的相关鉴别信息
* 获取CA中心的证书
* 生成公钥/私钥对
* 将公钥发送给CA中心并获取自身证书
* 分发证书并验证证书的有效性