路由器做CA服务器-站点到站点×××实验_休闲
 
 
这是用工大瑞普模拟器做的关于数字证书的×××实验。小T我期待大家的指点。
实验基本思路:
总部的cisco 3640 路由器作为ca 服务器,分部向总部请求根证
书和自己的设备证书,总部也向自己请求跟证书和自己的设备证书。
2.实验步骤:
总部的基本配置:
enable
conf t
hostname zongbu
no ip domain-lookup
line console 0
logging sy
exec-time 0 0
exit
interface ethernet 0/0
ip address dhcp(获取的地址为200.1.1.2,同时获取一条缺省路由,下一跳200.1.1.1)
no shut
exit
interface ethernet 0/2
ip address 192.168.1.1 255.255.255.0
no shut
no keepalive
exit
分部的基本配置:
enable
conf t
hostname fenbu
no ip domain-lookup
line console 0
logging sy
exec-time 0 0
exit
interface ethernet 0/0
ip address dhcp(获取的地址为210.1.1.2,同时获取一条缺省路由,下一跳210.1.1.1)
no shut
exit
interface ethernet 0/2
ip address 192.168.2.1 255.255.255.0
no shut
no keepalive
exit
 
总部路由器做ca 服务器配置
clock set 10:25:00 apr 18 2009
(时间必须配置其分部时间需与总部ca 时间同步,若时间没配置,总部ca 服务不能开启。
分部时间与总部不同步则获取不到证书)
ip domain-name t31.com
crypto key generate rsa general-keys label lab modulus 1024
ip http server(此服务必须开启)
crypto pki server lab(创建ca 服务器名字为lab)
issuer-name CN=zongbu.t31.com,L=changsha,C=CN(填写ca 服务器的信息)
no shutdown (开启ca 服务器,并产生根证书)
%Some server settings cannot be changed after CA certificate generation.
 
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
(此提示为输入一个大于7 字符的密码来保护私钥,是必须的)
% Certificate Server enabled.
(ca 服务开启,若ca 时间没设置的话,服务是无法开启的)
zongbu#show crypto ca certificates (查看ca 的根证书)
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.t31.com
l=changsha
c=CN
Subject:
cn=zongbu.t31.com
l=changsha
c=CN
Validity Date:
start date: 10:25:41 UTC Apr 18 2009
end date: 10:25:41 UTC Apr 17 2012
Associated Trustpoints: lab
 
总部自己向自己请求根证书(若总部不先向自己申请根证书,则自己的设备证书是获不到的)
crypto ca trustpoint 200.1.1.2(指点信任点)
enrollment mode ra
enrollment url http://200.1.1.2
exit
crypto ca authenticate 200.1.1.2(请求根证书)
Certificate has the following attributes:
Fingerprint MD5: BA3F31AF 9E701632 D393AC08 36BCC5DD
Fingerprint SHA1: 9EDD4FFF 4F231045 85218C21 8FCDD867 24B2874F
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
crypto ca enroll 200.1.1.2(请求自己的设备证书)
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
 
Password:
Apr 18 10:30:53.423: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: zongbu.t31.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 200.1.1.2 verbose' command will show the
fingerprint.
Apr 18 10:31:00.143: CRYPTO_PKI: Certificate Request Fingerprint MD5: FF549ED7
0F2050DD 712E3CEB AC68AB6F
Apr 18 10:31:00.143: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
784D0FB9 B67FA0BC 8AA900EE BD61A0A8 D1627511
(注:路由器做ca,证书是手动颁发的,此时证书为挂起状态)
zongbu#crypto pki server lab info requests
(查看ca 的请求信息,lab 为定义的ca 服务名称)
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending FF549ED70F2050DD712E3CEBAC68AB6F hostname=zongbu.t31.com
(总部的设备证书请求为挂起状态)
zongbu#crypto pki server lab grant all
(为所有证书请求进行颁发,all 是所有,也可用数字,用数字则是请求信息中对应的ReqID,
等待一分钟左右,证书被颁发下来)
Apr 18 10:35:16.487: %PKI-6-CERTRET: Certificate received from Certificate
Authority(获取到证书)
 
zongbu#show crypto ca certificates
(此时在查看,就有两个证书根证书和总部的设备证书,但注意的是ca 自己产生的根证书和自己向自己请求的根证书是一样的。)
 
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=zongbu.t31.com
l=changsha
c=CN
Subject:
Name: zongbu.t31.com
hostname=zongbu.t31.com
Validity Date:
start date: 10:33:44 UTC Apr 18 2009
end date: 10:33:44 UTC Apr 18 2010
Associated Trustpoints: 200.1.1.2
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.t31.com
l=changsha
c=CN
Subject:
cn=zongbu.t31.com
l=changsha
c=CN
Validity Date:
start date: 10:25:41 UTC Apr 18 2009
end date: 10:25:41 UTC Apr 17 2012
Associated Trustpoints: 200.1.1.2 lab
 
分部路由器配置:
clock set 10:25:00 apr 18 2009
(时间必须配置其分部时间需与总部ca 时间同步,分部时间与总部不同步则获取不到证书)。
ip domain-name t31.com
crypto key generate rsa general-keys modulus 1024
crypto ca trustpoint 200.1.1.2(指点信任点)
enrollment mode ra
enrollment url http://200.1.1.2
exit
crypto ca authenticate 200.1.1.2(请求根证书)
Certificate has the following attributes:
Fingerprint MD5: BA3F31AF 9E701632 D393AC08 36BCC5DD
Fingerprint SHA1: 9EDD4FFF 4F231045 85218C21 8FCDD867 24B2874F
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
crypto ca enroll 200.1.1.2(请求自己的设备证书)
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: fenbu.t31.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 200.1.1.2 verbose' command will show the
fingerprint.
Apr 18 10:41:46.151: CRYPTO_PKI: Certificate Request Fingerprint MD5: 8D7E2D33
E1DB8402 1F35D41B 6B3AFB9B
Apr 18 10:41:46.151: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
A805BCFD CC113FB2 29FD572A AE1E996B ACC08D4B
(注:路由器做ca,证书是手动颁发的,此时证书为挂起状态)
 
zongbu#crypto pki server lab info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending 8D7E2D33E1DB84021F35D41B6B3AFB9B hostname=fenbu.t31.com
(分部的设备证书请求为挂起状态)
 
 
zongbu#crypto pki server lab grant all
(为所有证书请求进行颁发,all 是所有,也可用数字,用数字则是请求信息中对应的ReqID,
等待一分钟左右,证书被颁发下来)
Apr 18 10:44:07.007: %PKI-6-CERTRET: Certificate received from Certificate
Authority(获取到证书)
fenbu#show crypto ca certificates
(分部获得了根证书和自己的设备证书)
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=zongbu.t31.com
l=changsha
c=CN
Subject:
Name: fenbu.t31.com
hostname=fenbu.t31.com
Validity Date:
start date: 10:43:55 UTC Apr 18 2009
end date: 10:43:55 UTC Apr 18 2010
Associated Trustpoints: 200.1.1.2
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.t31.com
l=changsha
c=CN
Subject:
cn=zongbu.t31.com
l=changsha
c=CN
Validity Date:
start date: 10:25:41 UTC Apr 18 2009
end date: 10:25:41 UTC Apr 17 2012
Associated Trustpoints: 200.1.1.2
 
3.××× 配置
总部配置:
crypto isakmp policy 10
encryption 3des
authentication rsa-sig
hash md5
grou 2
exit
crypto ipsec transform-set tim esp-3des esp-md5-hmac
mode tunnel
exit
crypto map tom 1 ipsec-isakmp
set peer 210.1.1.2
set transform-set tim
match address 101
exit
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
interface ethernet 0/0
crypto map tom
exit
 
分部配置:
crypto isakmp policy 10
encryption 3des
authentication rsa-sig
hash md5
grou 2
exit
crypto ipsec transform-set tim esp-3des esp-md5-hmac
mode tunnel
exit
crypto map tom 1 ipsec-isakmp
set peer 200.1.1.2
set transform-set tim
match address 101
exit
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 
interface ethernet 0/0
crypto map tom
exit
4.测试:
fenbu#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 144/145/152 ms
5.实验总结:
从本次实验可以得出一个结论,路由器做ca 服务器又做××× 时,
必须自己向自己申请设备证书。
 
 sh cry ca ce(检查证书,这里和CA上的显示不同:CA只显示 SN:01,这里的SN:02是客户的×××书,01是CA根证书)
sh cry ca trustpoints(检查信任点)
sh cry key pubkey-chain rs
sh cry key mypubkey rsa(密钥对,用来向CA申请×××书和根证书)
sh cry ca ce(这个就是CA自签发的根证书了)
sh cry key my r   记得:CA需要RSA密钥对来产生一个根证书上的签名和验证。
sh cry pki ser
zb#dir nvram:
Directory of nvram:/
  124  -rw-           0                    <no date>  startup-config
  125  ----           0                    <no date>  private-config
    1  -rw-          32                    <no date>  lab.ser
    2  -rw-         245                    <no date>  lab.crl
129016 bytes total (126916 bytes free)
这里没有crt\cnm文件,因为在database level密钥配置,默认是minimal