锐捷网络——CA数字证书配置——路由器离线申请证书_ruijie untrusted ca

目录

功能介绍

获取步骤

一、组网需求

二、组网拓扑

三、配置要点

四、配置步骤

五、配置验证

《附录》

---

 

Ruijie#show clock

05:01:40 UTC Thu, Mar 6, 2003

注意：证书涉及到吊销列表，证书的有效期等属性，和时间关联，做证书之前，需要保证时间同步。

条件允许的情况下，建议设置NTP。

Internet(config)# crypto pki trustpoint ruijie   //名称为ruijie

Internet(ca-trustpoint)#revocation-check none      //不检查吊销列表

Internet(ca-trustpoint)# enrollment offline  //定义离线申请证书的方法

You are about to be asked to enter you Distinguished Name(DN) information that will be incorporated into

your certificate request. There are quite a few fields but you can leave some blank       //设置离线证书的DN信息

Common Name (eg, YOUR name) []:tac                      //您的姓名与姓氏

Organizational Unit Name (eg, section) []:tac  //您的组织单位名称

Organization Name (eg, company) []:ruijie  //您的公司

Locality Name (eg, city) []Fuzhou //您所在的城市

State or Province Name (full name) []:Fujian  //您所在的省份

Country Name (2 letter code) [CN]:CN //您所在的国家代码

The subject name is: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CN

Is it correct[yes/no]:yes  //确认DN信 息，如上这些[]选项可随意设置

Internet(ca-trustpoint)#

Internet(config) #crypto pki enroll ruijie

Choose the size of the key modulus in the range of 384 to 2048 for your General Purpose Keys.

Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus[1024]: //此处可回车

%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3

-----BEGIN CERTIFICATE REQUEST-----

MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UE

ChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOB

jQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEs

RU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5

trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAA

MA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFx

t4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTt

OY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJ

r55w

-----END CERTIFICATE REQUEST-----

% Enter PEM-formatted CA certificate.

% End with a blank line or "quit" on a line by itself.

//此处回车,该步骤只是为了获取到上述红色部分的request的请求码。回车后会提示证书导入失败。没有关系。

CA certificate decode fail.

CA certificate import fail.

enroll offline failed.

Internet(config))# crypto pki enroll ruijie

router already has RSA key pair,

%% Do you want to generate a new private key?[yes/no]:no

%The subject name in the certificate will include: cn=tac,ou=tac,o=1,l=1,st=1,c=3

-----BEGIN CERTIFICATE REQUEST-----

MIIBfzCB6QIBADBAMQwwCgYDVQQDEwN0YWMxDDAKBgNVBAsTA3RhYzEKMAgGA1UE

ChMBMTEKMAgGA1UEBxMBMTEKMAgGA1UECBMBMTCBnzANBgkqhkiG9w0BAQEFAAOB

jQAwgYkCgYEAwyaNhZM2Jpu9f1Yl+6gLujobTHHS0Ut+dfVunk1ZKy8iPrKlnjEs

RU67g/dsj8bqvUGxw0Zv/aer4TwJTxS57SWBblaMiKBW87yHptBT6GbSG7N05kJ5

trb20NHErO3SLmQ9bKCuho5ah1Q55kUWFi8+rvn2H+xLf5inZIMHxv8CAwEAAaAA

MA0GCSqGSIb3DQEBBAUAA4GBAAsuOQKkav++74tzGtOjLSP6KZXTtMNVz0v6WPFx

t4zZMp9JYkV24rmCDkGwEityV+byP0q8TYW8x0a3LfJWrjpmfoHu5u0WAebs9qTt

OY4LTlnk3V/dQBUKJt5lnOeozTIzbbEl7UAV1hXc3eD5a0clcS7PB5NNqm/dQnMJ

r55w

-----END CERTIFICATE REQUEST-----

% Enter PEM-formatted CA certificate.

% End with a blank line or "quit" on a line by itself.   //粘贴客户提供的CA根证书

-----BEGIN CERTIFICATE-----

 MIIDTzCCAjegAwIBAgIQN55wTyRR+5FLPBhQ7hYWDDANBgkqhkiG9w0BAQUFADA6

 MRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsG

 A1UEAxMEQ05DQzAeFw0xNTA0MjAwMTUxMTFaFw0yNTA0MjAwMjAxMTBaMDoxEzAR

 BgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbmNjMQ0wCwYDVQQD

 EwRDTkNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCjE7U9YVzco

 3Gm3nj1NiyqCFiUcj9eYMTV+Ma5SgcRbkZkQxBl1/OfnnJwrB3tolieWXjFOdVNc

 h4Z0fSMzgFqjv0q4VXa9H7R+LoRKUYB07beQ33YdVu1AobpgpLFadzkg5gRYcvm/

 xa0Z7LIvAZ3yR6zY4HwaevCUrdxn5PeUg77fVg2COWh1Esqw4sBxXhrCfFCWGmhY

 b8n1q4WiHqjk/UB4C0o6bOrvJ93q/5RQqsj95xtLb1AXmbUT8DV8Roa9mm5YJT/b

 BgvNNQijApuoRXK5pLIimU1Ie89vK7LlaetuePNsXr+mW7Ya9EsVRcbYJKKQ47vG

 r9jIwrSe5QIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAd

 BgNVHQ4EFgQU/svlla2w9YaRIxYCw+JTCMRKuhEwEAYJKwYBBAGCNxUBBAMCAQAw

 DQYJKoZIhvcNAQEFBQADggEBAHhFt+r4gTjZ7L1dxqDwnBOaGAEsM/LoimjhNVG7

 lgIbPHO7cMDbFj56yngkKSI/si8Y6TBwmPo9IhTHvNUh66pxEhxzs/8kPOJilFqq

 xZLmmYInT1TJQoDWBr7gmsec3lmKL+2s8AgGnHa+PYWrodT+ZWCHLe7gZDjyjYRL

 HSqmSJHp5QvRUg2DziXhqmoGrIxbXpOSynJSdXTTXHByj17dv6LRY09/6rxx/Uyi

 PEO3q5PrQ3xPluBfNnaTGpEVAK+i64TDVNPuM9y2ULRWRP/mWACw7y8uSv0fpr7Q

 HkNaxXcbzuUvWmWEGkuKDBf45Qg5a3Gvr+Ua++O935lDzOU=

 -----END CERTIFICATE-----

 quit   //输入quit

Certificate has the following attributes:

MD5 fingerprint: 90AD60A5 DFEA40D0 1F97E9BD 6CA8589F

SHA1 fingerprint: 6848FBC4 CF53FA89 BE239913 5F705F2E 239A3850

%% Do you accept this certificate?[yes/no]:y

% CA Certificate successfully readed

%% All ca certificate imported?[yes/no]: y   

% Enter PEM-formatted certificate.   //提示开始粘贴客户提供的路由器证书

% End with a blank line or "quit" on a line by itself.

 - ----BEGIN CERTIFICATE-----

 MIIDkTCCAnmgAwIBAgIKI5QMNwAAAAACkzANBgkqhkiG9w0BAQUFADA6MRMwEQYK

 CZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY25jYzENMAsGA1UEAxME

 Q05DQzAeFw0xNTExMDMwNzM5NDlaFw0xNjExMDMwNzQ5NDlaMFsxCzAJBgNVBAYT

 AkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQwwCgYDVQQK

 EwNhYmMxDDAKBgNVBAsTA2FiYzEMMAoGA1UEAxMDYWJjMIGfMA0GCSqGSIb3DQEB

 AQUAA4GNADCBiQKBgQCuo1ySdhYkgslH+iu1dSXtNKenEKgJ90qPzPKb6jsc35Rs

 mO9Pj/H8zj9WAnoiAYuugyHcyAqQ8EguzV9q+bCebB6pCglpRl1sEGumXj5WJUUP

 cgxZNyuOCq561TX3CR/HyEO05xWKQcSfjFZNOJG5DlDRCWeuwT+oVYKGLRNuNwID

 AQABo4H7MIH4MB0GA1UdDgQWBBTVuwmuQSp8yd77A7h22q7lc65F+jAfBgNVHSME

 GDAWgBT+y+WVrbD1hpEjFgLD4lMIxEq6ETA7BgNVHR8ENDAyMDCgLqAshipmaWxl

 Oi8vV0lOLUFRSzFDN0czMTlWL0NlcnRFbnJvbGwvQ05DQy5jcmwwVgYIKwYBBQUH

 AQEESjBIMEYGCCsGAQUFBzAChjpmaWxlOi8vV0lOLUFRSzFDN0czMTlWL0NlcnRF

 bnJvbGwvV0lOLUFRSzFDN0czMTlWX0NOQ0MuY3J0MCEGCSsGAQQBgjcUAgQUHhIA

 VwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQADggEBABLTyq2tAkpJMsgJ

 Frfkh2QBgA6DCsFN5kDk4Fps15TrGfQSZf+xgKSBRNNrSQP0Y/X/Gke8rEugv55Q

 C/LsuWrKQHKadfptU4J4tvsc2WhIgLPzdvUKZqqeB4ySbAjJTQ2FSXvgDvyDdlQr

 68URrT7ji5ghm+596Dz+xLtIfX7b55gXSfZLHDhI1ISojOtgL4D2JWFUkv1CKvHJ

 N1YAj8UfzmKnQQDcNS1eFRQ1GddwfuD6pJ0KdSEPYG4iBCFAmqc/6YByFOVgx+Jl

 s2Jrrt9/MpQ3VKhBgOnCjgBiaIDagZGR3AVZBZ9fXvfiCcy6DOm87k1ZvvV56fbs

 pEjQgHM=

 -----END CERTIFICATE-----

 quit   //输入quit 退出。

% Router Certificate successfully imported

crypto pki trustpoint ruijie //进入证书的相应trustpoint

    time-check none //关闭证书的时间检查

revocation-check none  //不检查证书是否被吊销

注意：

1、RSR10-02设备没有时钟芯片，断电后时间会初始化为1970-01-01导致基于数字证书的IPSEC VPN协商失败，必须配置NTP时间同步或在证书crypto pki trustpoint XX模式下配置timeout-check none来关闭时间检查。

2、所有非在线申请数字证书的3G客户端，需要在crypto pki trustpoint XX模式下配置revocation-check来关闭设备的CRL检查，除非设备能解析CA服务的域名地址。

五、配置验证

该.cer文件，可以通过写字板打开查看。

2、客户通过request获取路由器证书的方法
（1）在CA证书服务器上打开：http://202.100.1.11/certsrv/，并点击“申请一个证书”

（3）弹出如下页面，点击“高级证书申请”

（4）弹出如下页面，点击“使用 base64 编码的 CMC 或 PKCS #10 文件提交 一个证书申请，或使用 base64 编码的 PKCS #7 文件续订证书申请”

注意：证书申请的时候需要拷贝从“-----BEGIN CERTIFICATE REQUEST-----到-----END CERTIFICATE REQUEST-”的全部内容。

（6）在CA上颁发证书

（7）查看颁发后的证书

6、导入证书
（1）下载完毕后，默认情况下该证书的名字为certnew.cer，然后用写字板打开