配置cisco vpn client使用scep从ios router ca获取证书
首先看一下如何用ios router做ca server。hostname R3
ip domain name cisco.com
//这两个命令必须配,用来生成key
!
crypto pki server R3
cdp-url tftp://10.0.78.102/R3.crl //生成正书后,把相应的R3.crl文件上传到tftp服务器上去
database level complete
database archive pem password 0 cisco123
issuer-name cn=CAServer, c=CN, o=BJENET
//这上面的4行是需要配置的,底下的两组pki命令都是router自己生成的,配置完后要no shutdown一下,只会ios会自己生成key(默认1024位),如果你仔细的话会发现key的名字和pki server的名字是一样的,对头,你要是出于安全考虑,想自己生成一个2048位的key,那么就要注意pki server的名字需要和key的名字一样
!
crypto pki trustpoint R3
revocation-check crl
rsakeypair R3
!
crypto pki certificate chain R3
certificate ca 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31310F30 0D060355 040A1306 424A454E 4554310B 30090603 55040613 02434E31
11300F06 03550403 13084341 53657276 6572301E 170D3036 30373231 31393332
35325A17 0D303930 37323031 39333235 325A3031 310F300D 06035504 0A130642
4A454E45 54310B30 09060355 04061302 434E3111 300F0603 55040313 08434153
65727665 7230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A80B 2C3A575A 8EE6C334 597DBF04 B2BFAE6F 900C37A6 2485D6A8 DDF2AD92
899AA91E 353BE83C D28347D4 B2567602 E855D748 021F4E66 5F31C68C DAEB7D55
8D4DB11E 2595BE5A 890BD2FD 5DF341E1 25EC8E4A C29B63FC F70A73E2 6B15B5EB
9D5AA193 99A886CE 58FCE9F4 037EEADF E056AE02 10EC2B54 E27E51DA 4E5F00DA
F0670203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14AC9683 4830127C
FA790371 5F41EAE2 27A72185 A9301D06 03551D0E 04160414 AC968348 30127CFA
7903715F 41EAE227 A72185A9 300D0609 2A864886 F70D0101 04050003 81810061
C47440E3 E0CA2B14 C144CAFA 8BFC1EF8 33992F65 E477A0E8 40B1DCA1 ED9DBD56
FF98E71B 4CF12CB1 257AF839 C7667BFC E8DDD837 4DAB5268 7F82F1A9 86552A82
18E397B3 7CFD3387 AFDFA7B4 60B39FEB 8B94A996 099C620E 0A2EB3A3 D0B54AC0
CB60B2BC 4ED1F2C6 E337328C 4944877E BC64C241 AEAC546D 06D99D6A 10759C
quit
!
ip http server
//把80端口打开,vpn client正是用这个端口从这个ca server获取证书
!
ntp server 129.6.15.28 //一定要让ca和vpn client的时间同步,当然最好的方法就是ntp了
R3# sho crypto key mypubkey rsa
% Key pair was generated at: 03:32:43 UTC Jul 22 2006
Key name: R3 //look!key的名字和pki server的名字一样
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A80B2C
3A575A8E E6C33459 7DBF04B2 BFAE6F90 0C37A624 85D6A8DD F2AD9289 9AA91E35
3BE83CD2 8347D4B2 567602E8 55D74802 1F4E665F 31C68CDA EB7D558D 4DB11E25
95BE5A89 0BD2FD5D F341E125 EC8E4AC2 9B63FCF7 0A73E26B 15B5EB9D 5AA19399
A886CE58 FCE9F403 7EEADFE0 56AE0210 EC2B54E2 7E51DA4E 5F00DAF0 67020301 0001
% Key pair was generated at: 03:32:50 UTC Jul 22 2006
Key name: R3.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DBA874 AFC1DF59
7EE8A1C7 F1F0B0FA 1E663DE8 BFD122C3 E696B93D 31F62FD7 FC250D20 9D97A7DE
A833443A 9B7518A2 35FF085C D73C77FF 85A88DEE 1A4F33A5 00406382 FEA155D8
1BAA49FE 55E13AF0 81442BAF FA234B7B 71BDE8B6 5D6D481E CD020301 0001 R3#dir nvram:
Directory of nvram:/
1019 -rw- 1263 startup-config
1020 ---- 5 private-config
1021 -rw- 1263 underlying-config
1 ---- 34 persistent-data
2 -rw- 0 ifIndex-table
3 -rw- 32 R3.ser //ca的序列号,每生成一份证书,里面的序列号就加1
4 -rw- 575 1.crt //ca自己的证书,ascii编码
5 -rw- 81 1.cnm //ca的描述文件,因为配置了database level complete才有这个文件的
6 -rw- 248 R3.crl //证书revoke列表
7 -rw- 1794 R3.pem //也是ca自己的证书,采用base64编码,包含自己私钥
1046520 bytes total (1037008 bytes free)
R3#sho crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=CAServer
c=CN
o=BJENET
Subject:
cn=CAServer
c=CN
o=BJENET
Validity Date:
start date: 03:43:53 UTC Jul 22 2006
end date: 03:43:53 UTC Jul 21 2009
Associated Trustpoints: R3
R3#sho crypto pki server
Certificate Server R3:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=CAServer, c=CN, o=BJENET
CA cert fingerprint: CD1DB598 8819CEC2 88F4C5D4 1AD11123
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 03:43:54 UTC Jul 21 2009
CRL NextUpdate timer: 09:43:54 UTC Jul 22 2006
Current storage dir: nvram:
Database Level: Complete - all issued certs written as .cer 下面该cisco vpn client上场了。
切换到Certificates标签,再点Enroll,就是带红筐的那个。
最重要的一步到了,填CA URL,就是红底的那个,填上"http://x.x.x.x/cgi-bin/pkiclient.exe",x.x.x.x是刚才那个ios router的地址。后面/cgi-bin/pkiclient.exe很重要,TMD,如果用pix或者router通过scep取证书时直接写"http://x.x.x.x"就可以了,但在vpn client里你要照着填就肯定获取失败,后来没办法,想了个土法子,在ca router上打开debug ip http all,然后用另一个router通过scep取证书,debug出来这样的结果:
.Jul 21 12:29:12.125: Fri, 21 Jul 2006 12:29:12 GMT 221.223.37.189 /cgi-bin/pkic
lient.exe ok
Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=
MIIGNgYJKoZIhvcNAQcCoIIGJzCCBiMCAQExDjAMBggqhkiG9w0CBQUAMIIBagYJ
KoZIhvcNAQcBoIIBWwSCAVcwggFTBgkqhkiG9w0BBwOgggFEMIIBQAIBADGB0DCB
zQIBADA2MDExDzANBgNVBAoTBkJKRU5FVDELMAkGA1UEBhMCQ04xETAPBgNVBAMT
CENBU2VydmVyAgEBMA0GCSqGSIb3D
这回明白了吧。CA domain就是ios router ca的domain,Challenge password就是database archive pem password设置的密码。再fuck一次,别看vpn client上标明CA URL是必须填的就以为domain和challenge password可以不填,不填你就永远没法申请到证书了。New password是管理vpn client获取的证书用的密码,以后无论是删除证书啥的都用的到,好好保存。
点击Next,输入Name [CN],随便吧,这个是用来标识自己的,只要是唯一的就可以了。然后点Enroll。这时vpn client向ca发送request。具体原理看这个:证书certificate生成和验证的过程。之后应该出现下面的画面。
这个时候vpn client上已经有CA的证书了,但自己的证书还是request状态。
现在是时候去ios router ca上给vpn client授权了。现面步骤照做就可以了,比较简单。
R3#crypto pki server R3 info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending CC98FFF795CAB68BFAC3AE22CB3AE75A cn=Nio
crypto pki server R3 grant 1
R3#dir nvram:
Directory of nvram:/
1019 -rw- 1440 startup-config
1020 ---- 5 private-config
1021 -rw- 1440 underlying-config
1 ---- 34 persistent-data
2 -rw- 0 ifIndex-table
3 -rw- 32 R3.ser
4 -rw- 575 1.crt
5 -rw- 81 1.cnm
6 -rw- 248 R3.crl
7 -rw- 1794 R3.pem
9 -rw- 639 2.crt //这个就是vpn client的证书了
10 -rw- 62 2.cnm //vpn client的描述文件
1046520 bytes total (1034783 bytes free)
现在证书已经授权给vpn client了,让vpn client到这个ca上取一下证书吧。
点刚才还是request状态的证书,右键,选retrieve approved certificate,之后输入刚才的那个New password,就是我说管理证书用的那个密码。
页:
[1]