电脑技术学习

Cisco路由器由Windows 2000 CA中心登记证书

dn001

  hostname myrouter
  ip domain-name test.com
  crypto key generate rsa
  !---生成密钥对,建议密钥长度不低于1024位,可用sh cry key mypubkey rsa来检查所生成的公钥,私钥出于安全的目的是不可查看的
  crypto ca identity myca
   enrollment mode ra
   enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll
   crl optional
  !---enrollment mode ra定义CA登记的方式采用RA(Registration Authority)方式,如采用windows 2000做CA中心,应采用RA登记方式
  !---crl optional定义即使在CRL(Certificate Revocation List)不可用时也能接收对方的证书
  !---enrollment url http://192.168.0.2:80/certsrv/mscep/mscep.dll句定义了CA中心的URL地址。
  
  这里我说明一下,因为Cisco使用了他专有的SCEP(Simple Certificate Enrollment Protocol)协议来和CA中心联系获取根证书。WIN2K的CA服务缺省没有对SCEP的支持,需要WIN2K resource kit中的一个附加工具Cepsetup.exe,安装完后才能在IE中对http://192.168.0.2:80/certsrv/mscep/mscep.dll进行引用。
  
  crypt ca authenticate myca
  !---获取CA中心的证书,大概的提示如下:
  Certificate has the following attributes:
  Fingerprint: 1FCDF2C8 2DEDA6AC 4819D4C4 B4CFF2F5
  % Do you accept this certificate? [yes/no]: y
  !---可通过访问http://192.168.0.2:80/certsrv/mscep/mscep.dll来获得CA证书的fingerprint,通过比较这两个fingerprint来确认CA中心的身份有效性。
  !---在获取到CA中心的证书后,可用show cry ca cert来检查CA Certificate
  ...
  CA Certificate
  Status: Available
  Certificate Serial Number: 4C38D9568E6C16874378C4D466F3DDB7
  Key Usage: Signature
  ...
  
  crypt ca enroll myca
  !---发送公钥给CA中心并获取路由器自身的证书,大概的提示如下:
  % Start certificate enrollment ..
  % Create a challenge passWord. You will need to verbally provide this
  password to the CA Administrator in order to revoke your certificate.
  For security reasons your password will not be saved in the configuration.
  Please make a note of it.
  Password:
  Re−enter password:
  % The subject name in the certificate will be: myrouter.test.com
  % Include the router serial number in the subject name? [yes/no]: n
  % Include an IP address in the subject name? [yes/no]: n
  Request certificate from CA? [yes/no]: y
  % Certificate request sent to Certificate Authority
  % The certificate request fingerprint will be displayed.
  % The 'show crypto ca certificate' command will also show the fingerprint.
  myrouter(config)# Fingerprint: A1D6C28B 6575AD08 F0B656D4 7161F76F
  3d09h: CRYPTO_PKI: status = 102: certificate request pending
  !---注重上面的Password部分,我就在这里折腾了半天,这个口令叫做enrollment challenge password,是由CA提供的,在这里你又需要在IE中键入http://192.168.0.2:80/certsrv/mscep/mscep.dll获取此password,然后将这个challenge password粘贴复制到口令提示处,需要注重的是,这个口令是一个OTP(One Time Password)口令,有效期为60分钟。
  
  申请完后再次show cry ca cert,可看到Certificat的状态为Pending:
  Certificate
  Status: Pending
  
  在CA中心的Pending Requests处可找到这个待申请的证书,然后选择Issue发布此证书。在路由器上过一段时间后会收到类似如下的提示信息:
  
  3d09h: %CRYPTO−6−CERTRET: Certificate received from Certificate Authority
  
  此时再show cry ca cert,可看到Certificat的状态为Available:
  Certificate
  Status: Available
  
  在配置过程中需要注重的几个东西有:
  1、CA认证对系统时间很敏感,有条件的话尽量在CA中心和CA客户端上使用NTP协议进行时间同步
  2、CA认证的大概配置步骤为:
   * 定义CA中心的相关鉴别信息
   * 获取CA中心的证书
   * 生成公钥/私钥对
   * 将公钥发送给CA中心并获取自身证书
   * 分发证书并验证证书的有效性
  3、一次性口令的时限问题
  
  另外再发一个参考文档,写得很细,不错:
  Enrolling for Certificates from a Cisco Router
  http://www.tburke.net/info/reskittools/topics/mscep_enrolling.htm