基于微软CA服务器为cisco路由器颁发证书_第1张图片

上篇文章说到用IOS路由器建立CA为***颁发证书验证,这次我们说下用微软的CA服务器为路由做证书认证

前提:

1.CA上开启IIS服务

2.必须在win 2003 上安装Resource Kit Tools (PS:这工具在2003的安装光盘上是没有的,必须上微软官方网站下载.-----> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en )

3.路由器时间与CA AD同步
4.安装完Resource Kit Tools 后,运行Command Shell--->输入cepsetup
 

 

基于微软CA服务器为cisco路由器颁发证书_第2张图片

 

基于微软CA服务器为cisco路由器颁发证书_第3张图片

 

基于微软CA服务器为cisco路由器颁发证书_第4张图片

记着这个地址一会要用

基于微软CA服务器为cisco路由器颁发证书_第5张图片

看见已经建立

基于微软CA服务器为cisco路由器颁发证书_第6张图片

路由的配置

r1(config)#ip domain name liang.com
r1(config)#ip host contoso.com.local 202.1.100.102   AD的域名与ip
r1(config)#crypto key generate rsa usage-keys
The name for the keys will be: r1.liang.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
 enrollment mode ra
 enrollment url http:202.1.100.102:80/certsrv/mscep/mscep.dll
 revocation-check crl
 r1(ca-trustpoint)#subject-name cn=r2 ou=cisco i=zhengzhou
r1(config)#crypto pki authenticate 202.1.100.102
Certificate has the following attributes:
       Fingerprint MD5: A3267F58 9A9EC6F7 B829A0B8 8CDC239F
      Fingerprint SHA1: 840B5626 DC206B25 D422C745 027BE178 D9E43920

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#crypto pki en                       
r1(config)#crypto pki enroll 202.1.100.102
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:                                        password是CA主页上的验证码
Re-enter password:

% The subject name in the certificate will include: cn=r2 ou=cisco i=zhengzhou
% The subject name in the certificate will include: r1.liang.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 00000000
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 202.1.100.102 verbose' command will show the fingerprint.

r1(config)#
May 18 18:17:14.655: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: D08E0D15 6458B730 80F420E7 50C7674C
May 18 18:17:14.659: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 29F834C3 0C394456 D8149A94 312C9D1A 222F0802
r1(config)#
May 18 18:17:15.999: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: AAF76201 20AB21BB F9A95518 ECBD7173
May 18 18:17:16.007: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 68D2A55C 39E71321 DDF2E5DD 913B2D56 B5F579D2
r1(config)#
May 18 18:18:30.399: %PKI-6-CERTRET: Certificate received from Certificate Authority
r1(config)#
May 18 18:18:42.011: %PKI-6-CERTRET: Certificate received from Certificate Authority

如果验证码不对

r3(config)#crypto pki enroll 202.1.100.102
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: cn=r3 ou=nongda
% The subject name in the certificate will include: r3.liang.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 202.1.100.102 verbose' command will show the fingerprint.

r3(config)#
May 18 18:10:24.230: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 3DAD7EC7 79B03CA2 562BDF92 28D9F25A
May 18 18:10:24.234: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 72CBA0CB 1B060C8A EF95B12A 36BCAB99 5065E107
r3(config)#
May 18 18:10:25.582: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: F0FA2EFE 11928FB6 33281E25 D53C1AFF
May 18 18:10:25.586: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 35ADC86F 3F46A70F A7B5FB0A 8164638E B3BEC32B
r3(config)#
May 18 18:10:27.066: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
May 18  不能被授权的

 

基于微软CA服务器为cisco路由器颁发证书_第7张图片

 

基于微软CA服务器为cisco路由器颁发证书_第8张图片

 

基于微软CA服务器为cisco路由器颁发证书_第9张图片

 

基于微软CA服务器为cisco路由器颁发证书_第10张图片