5.8.4. 为路由器生成 SCEP 证书


以下过程详细介绍了如何为路由器生成 SCEP 证书。
  1. 选择随机 PIN。
  2. 将 PIN 和路由器的 ID 添加到 flatfile.txt 文件中,以便路由器可以直接与 CA 进行身份验证。例如:
    vim /var/lib/pki/instance_name/ca/conf/flatfile.txt
    
    UID:172.16.24.238
    PWD:Uojs93wkfd0IS
    务必在 PWD 行后插入空行。
    路由器的 IP 地址可以是 IPv4 地址或 IPv6 地址。
    第 9.2.4 节 “配置平面文件身份验证” 中描述了使用无格式文件身份验证。
  3. 登录到路由器的控制台。在本例中,路由器的名称为 scep
    scep>
  4. 启用特权命令。
    scep> enable
  5. 进入配置模式。
    scep# conf t
  6. 从 root 用户开始,为证书链中每个 CA 导入 CA 证书。例如,以下命令序列将链中两个 CA 证书导入到路由器中:
    scep(config)# crypto ca trusted-root1
    scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
    scep(ca-root)# crl optional
    scep(ca-root)# exit
    scep(config)# cry ca authenticate 1
    scep(config)# crypto ca trusted-root0
    scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe
    scep(ca-root)# crl optional
    scep(ca-root)# exit
    scep(config)# cry ca authenticate 0
  7. 设置 CA 身份,并输入用于访问 SCEP 注册程序的 URL。例如,对于 CA:
    scep(config)# crypto ca identity CA
    scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin
    scep(ca-identity)# crl optional
  8. 获取 CA 的证书。
    scep(config)# crypto ca authenticate CA
    Certificate has the following attributes:
    Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57
    % Do you accept this certificate? [yes/no]: yes
  9. 生成 RSA 密钥对。
    scep(config)# crypto key generate rsa
    The name for the keys will be: scep.server.example.com
    Choose the size of the key modulus in the range of 360 to 2048 for your
    General Purpose Keys. Choosing a key modulus greater than 512 may take
    a few minutes.
    
    How many bits in the modulus [512]:
    Generating RSA keys ...
    [OK]
  10. 最后,在路由器上生成证书。
    scep(config)# crypto ca enroll CA
    %
    % Start certificate enrollment ..
    % Create a challenge password. You will need to verbally provide this
    password to the CA Administrator in order to revoke your certificate.
    For security reasons your password will not be saved in the configuration.
    Please make a note of it.
    
    Password: secret
    Re-enter password: secret
    
    % The subject name in the certificate will be: scep.server.example.com
    % Include the router serial number in the subject name? [yes/no]: yes
    % The serial number in the certificate will be: 57DE391C
    % Include an IP address in the subject name? [yes/no]: yes
    % Interface: Ethernet0/0
    % Request certificate from CA? [yes/no]: yes
    % Certificate request sent to Certificate Authority
    % The certificate request fingerprint will be displayed.
    % The 'show crypto ca certificate' command will also show the fingerprint.
    
    % Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263
    
    Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
  11. 关闭配置模式。
     scep(config)# exit
  12. 为确保路由器已正确注册,请列出存储在路由器中的所有证书。
    scep# show crypto ca certificates
    Certificate
     Status: Available
     Certificate Serial Number: 0C
     Key Usage: General Purpose
     Issuer:
    	CN = Certificate Authority
    	 O = Sfbay Red hat Domain 20070111d12
     Subject Name Contains:
    	Name: scep.server.example.com
    	IP Address: 10.14.1.94
    	Serial Number: 57DE391C
     Validity Date:
    	start date: 21:42:40 UTC Jan 12 2007
    	end date: 21:49:50 UTC Dec 31 2008
     Associated Identity: CA
    
    CA Certificate
     Status: Available
     Certificate Serial Number: 01
     Key Usage: Signature
     Issuer:
    	CN = Certificate Authority
    	 O = Sfbay Red hat Domain 20070111d12
     Subject:
    	CN = Certificate Authority
    	 O = Sfbay Red hat Domain 20070111d12
     Validity Date:
    	start date: 21:49:50 UTC Jan 11 2007
    	end date: 21:49:50 UTC Dec 31 2008
     Associated Identity: CA
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.