交换机
园区网交换机
数据中心与云计算交换机
中小网络精简型交换机
工业交换机
意图网络指挥官
无线
放装型无线接入点
墙面型无线接入点
智分无线接入点
室外无线接入点
场景化无线
无线控制器
小锐A系列
统一运维
身份管理
服务产品
运营商
政府
金融
互联网
电力能源
制造业
高教/职教
医疗卫生
交通
地产酒店文旅·连锁服务
公共安全
功能介绍
路由器通过离线申请的方式获取到数字证书,采用该种方法,路由器无需与CA服务器进行通信。
一、组网需求
路由器通过离线申请的方式获取到数字证书。
二、组网拓扑
无
三、配置要点
1、确认路由器的系统时间是否正确
2、从CA导出根证书
3、定义一个证书授权
4、注册根证书
5、CA签发证书
6、导入证书
7、配置忽略证书有效性和时间检查(可选)
四、配置步骤
1、确认路由器的系统时间是否正确
Ruijie#show clock
05:01:40 UTC Thu, Mar 6, 2003
注意:证书涉及到吊销列表,证书的有效期等属性,和时间关联,做证书之前,需要保证时间同步。
条件允许的情况下,建议设置NTP。
2、从CA导出根证书
导出的CA公钥文件,可以通过写字板打开查看。
3、定义一个证书授权
Internet(config)#crypto pki trustpoint ruijie
Internet(ca-trustpoint)#revocation-check none //不检查吊销列表
Internet(ca-trustpoint)#enrollment offline //定义离线申请证书的方法
You are about to be asked to enter you Distinguished Name(DN) information that will be incorporated into
your certificate request. There are quite a few fields but you can leave some blank //设置离线证书的DN信息
Common Name (eg, YOUR name) []:tac //您的姓名与姓氏
Organizational Unit Name (eg, section) []:tac //您的组织单位名称
Organization Name (eg, company) []:ruijie //您的公司
Locality Name (eg, city) []Fuzhou //您所在的城市
State or Province Name (full name) []:Fujian //您所在的省份
Country Name (2 letter code) [CN]:CN //您所在的国家代码
The subject name is: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CN
Is it correct[yes/no]:yes //确认DN信息
Internet(ca-trustpoint)#
4、注册根证书
Internet(config)#crypto pki enroll ruijie
%The subject name in the certificate will include: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CN
-----BEGIN CERTIFICATE REQUEST-----
MIIBnDCCAQUCAQAwXDEMMAoGA1UEAxMDdGFjMQwwCgYDVQQLEwN0YWMxDzANBgNV
BAoTBnJ1aWppZTEPMA0GA1UEBxMGZnV6aG91MQ8wDQYDVQQIEwZmdWppYW4xCzAJ
BgNVBAYTAkNOMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0RfohLE/AURwV
WGEnlYX7k/rkOOIoN/5j3SEIQXaBiGYl/cOvxoM+31S0eT+wdYu7ClkTKUSIMqCy
qzYVjEjKwLMKELBDUT7E6Ev+KNt5fqkqaRLIfX3jfGLzUE9WQnJ1YPX4x2jHR5Mt
SnZvtbRqoVs/l/9Bz8RvyP9186rOYQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
sJiZANI9VNxeHgc7hWdlJme99YKY1HbENKqBM5lw/rHoAIdX/qB5QLrTjTPZu03B
Luf27omD87E/Wu89Xl4viWv/rrJP35kbLQQJBPwesfJ2BpmV7ex9RybPAGCC4El0
7Vc/hbG+gSjxnyl1y3VrJr6Ztr0ES5kVkucg4+Gp0eo=
-----END CERTIFICATE REQUEST-----
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself. //下面要贴PEM格式的CA根证书,也就是步骤2生成的根证书
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIQZcc6gCrozIVP+65pSDNoXDANBgkqhkiG9w0BAQUFADA7
MRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYD
VQQDEwZSU0MgQ0EwHhcNMTAxMjI5MDUzMDAwWhcNMjAxMjI5MDUzOTMwWjA7MRMw
EQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYDVQQD
EwZSU0MgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDncaGha6dq
NJbABhyV/v9w+1XZQceI1XQyOSf8+33x/LeA4f49e39/1oWzI29chHRBvzS0vyvx
4QY0Z/4Ecjh17QXHAyOVWatc/fTRLfEWn1LU+PsQA44tqs7RbxuzVQpzzovQmJw9
VyjC13HUSdquL+kqVe9DqMKKzUaTctQ16YePDWfCUA0XKnxd/rdYSrva7U6+papx
v0AdWmLeNNAv36wlar4n12LTppcXo0/oxN2eVfK6TBkT8W47NXRegYPGFAcTR/BF
QK8eMFQLiwi1CffsNoE1NpmhDUtYwRQ3m/JsY0tgyKFgMMibkbqBslq33p6zXvUE
h41qned5Azg1AgMBAAGjgbEwga4wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFIJiMJD5jU//bnOzNzd7Q9JffyPjMF0GA1UdHwRWMFQwUqBQ
oE6GJWh0dHA6Ly9yc2MtY2EvQ2VydEVucm9sbC9SU0MlMjBDQS5jcmyGJWZpbGU6
Ly9cXFJTQy1DQVxDZXJ0RW5yb2xsXFJTQyBDQS5jcmwwEAYJKwYBBAGCNxUBBAMC
AQAwDQYJKoZIhvcNAQEFBQADggEBAFazbsPV0FXCpsRx5xk/ErOyzXf1cbE4eqWL
OKes0OoWA6y1Fg9zvxWX7z5SorPByJqC9Ci+ej0fmxaUqMqtd3Dx+YeFLFryszHu
YdcaNrU6YAbUHL/UvNcgwM8DLm53AagSZoV3qV4g6jra5osd7/MtObuFclgH09L2
0J8oclBJZOODk4GWsQkyhgTEAiA9WXwC470GiApXTqeQKO4Zo6io2GtVj571UIt8
QaVt237eiZtYQoadaQh6maH1wM87RXWxB+KwLOzk8TqxAy1ke0yASeG8Z23s3/pW
rlq0rdOCEhpoXggAttVRcfGEf/rnVHJr/z44HjeAeMawVqvxWjA=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
MD5 fingerprint: F9637FD9 3D5F5C33 D6E067C3 5F7952CC
SHA1 fingerprint: FC07C4BE 8E769C57 C4182A80 2904D9F1 A0DE80D5
%% Do you accept this certificate?[yes/no]:yes
% CA Certificate successfully imported
% Enter PEM-formatted certificate.
% End with a blank line or "quit" on a line by itself.
5、CA签发证书
(1)将下述的红色字体部分复制,此为路由器的证书请求
Internet(config)#crypto pki enroll ruijie
%The subject name in the certificate will include: cn=tac,ou=tac,o=ruijie,l=fuzhou,st=fujian,c=CN
-----BEGIN CERTIFICATE REQUEST-----
MIIBnDCCAQUCAQAwXDEMMAoGA1UEAxMDdGFjMQwwCgYDVQQLEwN0YWMxDzANBgNV
BAoTBnJ1aWppZTEPMA0GA1UEBxMGZnV6aG91MQ8wDQYDVQQIEwZmdWppYW4xCzAJ
BgNVBAYTAkNOMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0RfohLE/AURwV
WGEnlYX7k/rkOOIoN/5j3SEIQXaBiGYl/cOvxoM+31S0eT+wdYu7ClkTKUSIMqCy
qzYVjEjKwLMKELBDUT7E6Ev+KNt5fqkqaRLIfX3jfGLzUE9WQnJ1YPX4x2jHR5Mt
SnZvtbRqoVs/l/9Bz8RvyP9186rOYQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA
sJiZANI9VNxeHgc7hWdlJme99YKY1HbENKqBM5lw/rHoAIdX/qB5QLrTjTPZu03B
Luf27omD87E/Wu89Xl4viWv/rrJP35kbLQQJBPwesfJ2BpmV7ex9RybPAGCC4El0
7Vc/hbG+gSjxnyl1y3VrJr6Ztr0ES5kVkucg4+Gp0eo=
-----END CERTIFICATE REQUEST-----
% Enter PEM-formatted CA certificate.
(2)在CA证书服务器上打开:http://202.100.1.11/certsrv/,并点击“申请一个证书”
(3)弹出如下页面,点击“高级证书申请”
(4)弹出如下页面,点击“使用 base64 编码的 CMC 或 PKCS #10 文件提交 一个证书申请,或使用 base64 编码的 PKCS #7 文件续订证书申请”
(5)弹出如下页面,并将第(1)步中的红色字体输入到“保存的申请:”中,然后点击提交。
注意:证书申请的时候需要拷贝从“-----BEGIN CERTIFICATE REQUEST-----到-----END CERTIFICATE REQUEST-”的全部内容。
(6)在CA上颁发证书
(7)查看颁发后的证书
(8)弹出如下页面,点击“BASE 64编码”,然后点击下载证书。
6、导入证书
(1)下载完毕后,默认情况下该证书的名字为certnew.cer,然后用写字板打开
(2)将写字板的内容复制出来,然后粘贴到路由器。
% Enter PEM-formatted certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIKEqv2mgAAAAAAKTANBgkqhkiG9w0BAQUFADA7MRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDcnNjMQ8wDQYDVQQDEwZS
U0MgQ0EwHhcNMTEwMTI3MDIwMTQ2WhcNMTIwMTI3MDIxMTQ2WjBcMQswCQYDVQQG
EwJDTjEPMA0GA1UECBMGZnVqaWFuMQ8wDQYDVQQHEwZmdXpob3UxDzANBgNVBAoT
BnJ1aWppZTEMMAoGA1UECxMDdGFjMQwwCgYDVQQDEwN0YWMwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALRF+iEsT8BRHBVYYSeVhfuT+uQ44ig3/mPdIQhBdoGI
ZiX9w6/Ggz7fVLR5P7B1i7sKWRMpRIgyoLKrNhWMSMrAswoQsENRPsToS/4o23l+
qSppEsh9feN8YvNQT1ZCcnVg9fjHaMdHky1Kdm+1tGqhWz+X/0HPxG/I/3Xzqs5h
AgMBAAGjggEoMIIBJDAdBgNVHQ4EFgQUnW9kRaUnq/+YFdyb/w5Vk7UOoPAwHwYD
VR0jBBgwFoAUgmIwkPmNT/9uc7M3N3tD0l9/I+MwXQYDVR0fBFYwVDBSoFCgToYl
aHR0cDovL3JzYy1jYS9DZXJ0RW5yb2xsL1JTQyUyMENBLmNybIYlZmlsZTovL1xc
UlNDLUNBXENlcnRFbnJvbGxcUlNDIENBLmNybDCBggYIKwYBBQUHAQEEdjB0MDgG
CCsGAQUFBzAChixodHRwOi8vcnNjLWNhL0NlcnRFbnJvbGwvUlNDLUNBX1JTQyUy
MENBLmNydDA4BggrBgEFBQcwAoYsZmlsZTovL1xcUlNDLUNBXENlcnRFbnJvbGxc
UlNDLUNBX1JTQyBDQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAI03S0nvNc2T5CDA
n+0BE3J36uR44wLjBZJS6a4jPBoAePDIBgw8tBqNew9WGuAfM3vNCzpdIJ/xMf+/
oxmCW1a+dP8113beLmgiiCN+bsquqUSh7eFl1dcu8ftEs6bIHdG3d2/56/99DxqT
LINu2+032gOSrE3Q70LtJFJs7XRDOpbuuBdP7LoMEJrMOp50Hh/gssdN7IwecPUW
GCsr/QWlq2Mg5NuoWkya2Dzad4yKqqLL1lZa4Nj/8t4dSbkfNW3sYjfVvDKJt3Yr
y/GYxTdDZ7aYssNXUQLCsc0ENJJoAntKcU21kRO8Vn8cjNQ5be7V4yitOM1pGGhv
olUDBr8=
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported //提示证书导入成功
7、配置忽略证书有效性和时间检查(可选)
crypto pki trustpoint ruijie //进入证书的相应trustpoint
time-check none //关闭证书的时间检查
revocation-check none //不检查证书是否被吊销
注意:
1、RSR10-02设备没有时钟芯片,断电后时间会初始化为1970-01-01导致基于数字证书的IPSEC VPN协商失败,必须配置NTP时间同步或在证书crypto pki trustpoint XX模式下配置timeout-check none来关闭时间检查。
2、所有非在线申请数字证书的3G客户端,需要在crypto pki trustpoint XX模式下配置revocation-check来关闭设备的CRL检查,除非设备能解析CA服务的域名地址。
五、配置验证
通过show crypto pki certificates ruijie可以查看名称为“ruijie”的证书信息:
Ruijie#show crypto pki certificates ruijie
% CA certificate info: //CA根证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
65:c7:3a:80:2a:e8:cc:85:4f:fb:ae:69:48:33:68:5c
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: Dec 29 05:30:00 2010 GMT
Not After : Dec 29 05:39:30 2020 GMT //证书的有效期,如果设备时间不在证书有效期内则证书无法使用
Subject: DC=com, DC=rsc, CN=RSC CA
Associated Trustpoints: ruijie
% Router certificate info: //路由器证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0e:8b:73:00:00:00:00:00:19
Issuer: DC=com, DC=rsc, CN=RSC CA
Validity
Not Before: May 15 07:55:30 2011 GMT
Not After : May 15 08:05:30 2012 GMT
Subject: C=CN, ST=fujian, L=fuzhou, O=ruijie, OU=tac, CN=test/emailAddress=test@ruijie.com.cn
Associated Trustpoints: ruijie