数字证书实验-CA
一.
作为证书服务器 首先要保证时间的准确
R3(config)#clock timezone GMT +8
R3#clock set 14:00:00 10 Aug 2009
R3(config)#ntp master
申请端的时间同步设置
R2(config)#clock timezone GMT +8
R2(config)#ntp server 123.123.123.3
校验时间是否同步 R2#show ntp status
R2#show clock
二. 配置CA SERVER证书服务器ip为 123.123.123.3
ip http server(由于使用SCEP的方式申请证书的 所以要打开IP HTTP SERVER)
ip domain name wolf.com (由于证书服务器要产生自己的公私钥,所以要设置域名,才可以生成公私钥)
crypto pki server ca
database level complete
database username tom password 0 tom (访问FTP服务器的用户名和密码 )
database archive pem password 0 123cisco123 (设置用PEM格式封装,密码123cisco123 是用来保密 CA的私钥)
database url ftp://123.123.123.123/ (存放证书的FTP服务器位置)
issuer-name cn=ca.server, ou=wolf (颁发者的信息)
cdp-url ftp://123.123.123.123/ca.crl (吊销列表的位置)
三.配置申请端
ip domain name cisco.com (设置域名,才可以生成公私钥)
R2(config)#crypto key generate rsa usage-keys
R2#show crypto key mypubkey rsa (校验生成的公私钥)
crypto pki trustpoint ca (配置要访问的证书服务器)
enrollment url http://123.123.123.3 (通过OCSP方式注册)
subject-name cn=R1, ou=ibm (注册者的相关信息)
revocation-check crl none (吊销检测,不进行CRL检测)
R2(config)#crypto pki authenticate ca (进行CA证书服务器的认证 ,即获取CA服务器的公钥)
敲完此命令后会出现
Certificate has the following attributes:
Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319
Fingerprint SHA1: C2662259 ABB5A8CB 009DAB11 A66C6D05 17D36DF7
% Do you accept this certificate? [yes/no]:
此时要向CA 服务器管理员电话咨询下 这个Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319 的正确性
CA管理员查阅R3#show crypto pki server
Certificate Server ca:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=ca, ou=wolf
CA cert fingerprint: FF4A5EAF D9926260 146AD6E8 C6DCC319 -----------CA管理员查阅的就是这个。。。
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 14:44:49 GMT Aug 9 2012
CRL NextUpdate timer: 20:44:57 GMT Aug 10 2009
Current primary storage dir: ftp://123.123.123.123
Database Level: Complete - all issued certs written as <serialnum>.cer
如果CA管理员查阅后证实这个Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319 ,就代表收到的是CA的公钥了
然后 你敲YES 接受这个CA的公钥,OK此时已经获得CA的公钥了
然后你查阅下你获得的CA证书的公钥信息
R2#show crypto pki certificates
R2(config)#crypto pki enroll ca (向CA服务器注册)
之后会出现
R2(config)#
Aug 10 07:14:06.525: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 7A5A105F D662BB08 0A7B57D3 E48AF5C6
Aug 10 07:14:06.529: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 013BA52B 5AC4DEB1 D1B67B00 E593188F 3FEBE5AE
R2(config)#
Aug 10 07:14:07.813: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: D8FA2E0B 004046E3 7E17FF2B E49E8A3F
Aug 10 07:14:07.825: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 332BCE20 9F2651C8 B0AF39A8 699D87DB E6089093
此时CA管理员会电话你问你注册的Fingerprint MD5时候正确
CA 管理员通过查阅
R3#crypto pki server ca info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending D8FA2E0B004046E37E17FF2BE49E8A3F hostname=R2.wolf.com,cn=R1,ou=ibm
1 pending 7A5A105FD662BB080A7B57D3E48AF5C6 hostname=R2.wolf.com,cn=R1,ou=ibm
向你确认,然后你告诉CA管理员确实是你注册的Fingerprint MD5,然后管理员得到你的确认后便将证书发放给你
R3#crypto pki server ca grant all
然后你在检测下CA 发放给你的证书
R2#show crypto pki certificates
证书部分完毕!!!!!
注:存放证书的FTP服务器只需安装个SERVERU (FTP服务端软件)即可!!
作为证书服务器 首先要保证时间的准确
R3(config)#clock timezone GMT +8
R3#clock set 14:00:00 10 Aug 2009
R3(config)#ntp master
申请端的时间同步设置
R2(config)#clock timezone GMT +8
R2(config)#ntp server 123.123.123.3
校验时间是否同步 R2#show ntp status
R2#show clock
二. 配置CA SERVER证书服务器ip为 123.123.123.3
ip http server(由于使用SCEP的方式申请证书的 所以要打开IP HTTP SERVER)
ip domain name wolf.com (由于证书服务器要产生自己的公私钥,所以要设置域名,才可以生成公私钥)
crypto pki server ca
database level complete
database username tom password 0 tom (访问FTP服务器的用户名和密码 )
database archive pem password 0 123cisco123 (设置用PEM格式封装,密码123cisco123 是用来保密 CA的私钥)
database url ftp://123.123.123.123/ (存放证书的FTP服务器位置)
issuer-name cn=ca.server, ou=wolf (颁发者的信息)
cdp-url ftp://123.123.123.123/ca.crl (吊销列表的位置)
三.配置申请端
ip domain name cisco.com (设置域名,才可以生成公私钥)
R2(config)#crypto key generate rsa usage-keys
R2#show crypto key mypubkey rsa (校验生成的公私钥)
crypto pki trustpoint ca (配置要访问的证书服务器)
enrollment url http://123.123.123.3 (通过OCSP方式注册)
subject-name cn=R1, ou=ibm (注册者的相关信息)
revocation-check crl none (吊销检测,不进行CRL检测)
R2(config)#crypto pki authenticate ca (进行CA证书服务器的认证 ,即获取CA服务器的公钥)
敲完此命令后会出现
Certificate has the following attributes:
Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319
Fingerprint SHA1: C2662259 ABB5A8CB 009DAB11 A66C6D05 17D36DF7
% Do you accept this certificate? [yes/no]:
此时要向CA 服务器管理员电话咨询下 这个Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319 的正确性
CA管理员查阅R3#show crypto pki server
Certificate Server ca:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=ca, ou=wolf
CA cert fingerprint: FF4A5EAF D9926260 146AD6E8 C6DCC319 -----------CA管理员查阅的就是这个。。。
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 14:44:49 GMT Aug 9 2012
CRL NextUpdate timer: 20:44:57 GMT Aug 10 2009
Current primary storage dir: ftp://123.123.123.123
Database Level: Complete - all issued certs written as <serialnum>.cer
如果CA管理员查阅后证实这个Fingerprint MD5: FF4A5EAF D9926260 146AD6E8 C6DCC319 ,就代表收到的是CA的公钥了
然后 你敲YES 接受这个CA的公钥,OK此时已经获得CA的公钥了
然后你查阅下你获得的CA证书的公钥信息
R2#show crypto pki certificates
R2(config)#crypto pki enroll ca (向CA服务器注册)
之后会出现
R2(config)#
Aug 10 07:14:06.525: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 7A5A105F D662BB08 0A7B57D3 E48AF5C6
Aug 10 07:14:06.529: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 013BA52B 5AC4DEB1 D1B67B00 E593188F 3FEBE5AE
R2(config)#
Aug 10 07:14:07.813: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: D8FA2E0B 004046E3 7E17FF2B E49E8A3F
Aug 10 07:14:07.825: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 332BCE20 9F2651C8 B0AF39A8 699D87DB E6089093
此时CA管理员会电话你问你注册的Fingerprint MD5时候正确
CA 管理员通过查阅
R3#crypto pki server ca info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending D8FA2E0B004046E37E17FF2BE49E8A3F hostname=R2.wolf.com,cn=R1,ou=ibm
1 pending 7A5A105FD662BB080A7B57D3E48AF5C6 hostname=R2.wolf.com,cn=R1,ou=ibm
向你确认,然后你告诉CA管理员确实是你注册的Fingerprint MD5,然后管理员得到你的确认后便将证书发放给你
R3#crypto pki server ca grant all
然后你在检测下CA 发放给你的证书
R2#show crypto pki certificates
证书部分完毕!!!!!
注:存放证书的FTP服务器只需安装个SERVERU (FTP服务端软件)即可!!