5.8.4. 为路由器生成 SCEP 证书
以下过程详细介绍了如何为路由器生成 SCEP 证书。
- 选择随机 PIN。
- 将 PIN 和路由器的 ID 添加到
flatfile.txt
文件中,以便路由器可以直接与 CA 进行身份验证。例如:vim /var/lib/pki/instance_name/ca/conf/flatfile.txt UID:172.16.24.238 PWD:Uojs93wkfd0IS
务必在 PWD 行后插入空行。路由器的 IP 地址可以是 IPv4 地址或 IPv6 地址。第 9.2.4 节 “配置平面文件身份验证” 中描述了使用无格式文件身份验证。 - 登录到路由器的控制台。在本例中,路由器的名称为 scep :
scep>
- 启用特权命令。
scep> enable
- 进入配置模式。
scep# conf t
- 从 root 用户开始,为证书链中每个 CA 导入 CA 证书。例如,以下命令序列将链中两个 CA 证书导入到路由器中:
scep(config)# crypto ca trusted-root1 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 1 scep(config)# crypto ca trusted-root0 scep(ca-root)# root CEP http://server.example.com:8080/ca/cgi-bin/pkiclient.exe scep(ca-root)# crl optional scep(ca-root)# exit scep(config)# cry ca authenticate 0
- 设置 CA 身份,并输入用于访问 SCEP 注册程序的 URL。例如,对于 CA:
scep(config)# crypto ca identity CA scep(ca-identity)# enrollment url http://server.example.com:8080/ca/cgi-bin scep(ca-identity)# crl optional
- 获取 CA 的证书。
scep(config)# crypto ca authenticate CA Certificate has the following attributes: Fingerprint: 145E3825 31998BA7 F001EA9A B4001F57 % Do you accept this certificate? [yes/no]: yes
- 生成 RSA 密钥对。
scep(config)# crypto key generate rsa The name for the keys will be: scep.server.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK]
- 最后,在路由器上生成证书。
scep(config)# crypto ca enroll CA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: secret Re-enter password: secret % The subject name in the certificate will be: scep.server.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 57DE391C % Include an IP address in the subject name? [yes/no]: yes % Interface: Ethernet0/0 % Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. % Fingerprint:D89DB555 E64CC2F7 123725B4 3DBDF263 Jan 12 13:41:17.348: %CRYPTO-6-CERTRET: Certificate received from Certificate
- 关闭配置模式。
scep(config)# exit
- 为确保路由器已正确注册,请列出存储在路由器中的所有证书。
scep# show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0C Key Usage: General Purpose Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject Name Contains: Name: scep.server.example.com IP Address: 10.14.1.94 Serial Number: 57DE391C Validity Date: start date: 21:42:40 UTC Jan 12 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA CA Certificate Status: Available Certificate Serial Number: 01 Key Usage: Signature Issuer: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Subject: CN = Certificate Authority O = Sfbay Red hat Domain 20070111d12 Validity Date: start date: 21:49:50 UTC Jan 11 2007 end date: 21:49:50 UTC Dec 31 2008 Associated Identity: CA