window 2003部分
1.安裝iis-web服務
2.安裝secp(簡單證書注冊協定)
3.從microsoft下載下傳windows2003服務插件cepsetup.exe
安裝完成cepsetup.exe,會産生一個位址:http://ca/certsrv/mscep/mscep.dll
注意:在ie上輸入此位址,需要密碼和密碼,此密碼為系統賬号與密碼,不允許空密碼,是以須為系統賬号加密碼登上去後方可看到otp挑戰密碼:challenge password後的字元串
==============================
路由部分:
ip domain-name kangta.com 為産生密鑰對所必須的
ip host ca 192.16.1.10 指定ca伺服器主機名及ip位址
crypto key generate rsa general-keys modulus 1024 建立路由的公鑰和密鑰對
crypto ca trustpoint ca 指定信任的ca機構為ca
enrollment mode ra 設定ra作為pki伺服器處理所有的登記事務的伺服器
enrollment url http://ca/certsrv/mscep/mscep.dll 定義路由器通路ca伺服器的url位址
crl optional !(注意!有效) 定義即使在crl(證書撤銷清單)不可用時也能接收對方的證書
配置完成後
crypto ca authenticate ca 檢驗擷取從ca伺服器的根證書
crypto ca enroll ca 路由器向ca伺服器申請屬于自己身份的證書
此時需要輸入一個挑戰密碼,這個密碼這個密碼是一個otp(one time password)密碼,有效期為60
分鐘:擷取該挑戰密碼的方法就是在ie浏覽器上輸入ca伺服器的通路位址:
http://ca/certsrv/mscep/mscep.dll,輸入後就可以看到挑戰密碼,将這個challenge password複制粘
貼到密碼提示處。成功執行後方在ca伺服器上看到已經挂起的證書服務
檢測:show run上可以看到證書字元串
在擷取到ca中心的證書後,可用show cry ca cert來檢查ca certificate
注意:
crypto ca enroll ca
!---發送公鑰給ca中心并擷取路由器自身的證書,大概的提示如下:
% start certificate enrollment ..
% create a challenge password. you will need to verbally provide this
password to the ca administrator in order to revoke your certificate.
for security reasons your password will not be saved in the configuration.
please make a note of it.
password:
re−enter password:
% the subject name in the certificate will be: myrouter.test.com
% include the router serial number in the subject name? [yes/no]: n
% include an ip address in the subject name? [yes/no]: n
request certificate from ca? [yes/no]: y
% certificate request sent to certificate authority
% the certificate request fingerprint will be displayed.
% the 'show crypto ca certificate' command will also show the fingerprint.
myrouter(config)# fingerprint: a1d6c28b 6575ad08 f0b656d4 7161f76f
3d09h: crypto_pki: status = 102: certificate request pending
申請完後再次show cry ca cert,可看到certificat的狀态為pending:
certificate
status: pending
在ca中心的pending requests處可找到這個待申請的證書,然後選擇issue釋出此證書。在路由器
上過一段時間後會收到類似如下的提示資訊:
3d09h: %crypto−6−certret: certificate received from certificate authority
此時再show cry ca cert,可看到certificat的狀态為available:
×××-server(config)#do sh cry ca cer
ra keyencipher certificate
status: available
certificate serial number: 61049f78000000000003
certificate usage: encryption
issuer:
cn=ca
subject:
ea=kangta
cn=kangta
ou=kangta
o=kangta
l=kangta
st=kangta
c=us
crl distribution points:
http://ca/certenroll/ca.crl
validity date:
start date: 08:05:12 utc sep 5 2010
end date: 08:15:12 utc sep 5 2011
associated trustpoints: ca
ra signature certificate
certificate serial number: 61049d55000000000002
certificate usage: signature
ca certificate
certificate serial number: 3a95b1ba0d8b8dbe4e9d2c1cd55ee854
http://sinobest-6e30a7/certenroll/ca.crl
start date: 07:50:20 utc sep 5 2010
end date: 07:59:56 utc sep 5 2015
certificate
name: ×××-server.kangta.com
serial number: ffffffff
status: pending
key usage: general purpose
certificate request fingerprint md5: a448576d 05b3772f c9804a60 69368491
certificate request fingerprint sha1: f3fa75a5 9b78af1b 699f6f2b 7a30546f 556dd1b0
associated trustpoint: ca