根据微软CA服务器为cisco路由器颁布证书51CTO博客 - 凯发娱乐

根据微软CA服务器为cisco路由器颁布证书51CTO博客

2019年03月31日10时50分41秒 | 作者: 飞荷 | 标签: 路由器,证书,微软 | 浏览: 1269

 

上篇文章提到用IOS路由器树立CA为***颁布证书验证,这次咱们说下用微软的CA效劳器为路由做证书认证

条件:

1.CA上敞开IIS效劳

2.有必要在win 2003 上装置Resource Kit Tools (PS:这东西在2003的装置光盘上是没有的,有必要上微软官方网站下载.-> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en )

3.路由器时刻与CA AD同步
4.装置完Resource Kit Tools 后,运转Command Shell->输入cepsetup
 

 

 

 

记取这个地址一会要用

看见现已树立

路由的装备

r1(config)#ip domain name liang.com
r1(config)#ip host contoso.com.local 202.1.100.102   AD的域名与ip
r1(config)#crypto key generate rsa usage-keys
The name for the keys will be: r1.liang.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  Signature Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
  Encryption Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
 enrollment mode ra
 enrollment url http:202.1.100.102:80/certsrv/mscep/mscep.dll
 revocation-check crl
 r1(ca-trustpoint)#subject-name cn=r2 ou=cisco i=zhengzhou
r1(config)#crypto pki authenticate 202.1.100.102
Certificate has the following attributes:
       Fingerprint MD5: A3267F58 9A9EC6F7 B829A0B8 8CDC239F
      Fingerprint SHA1: 840B5626 DC206B25 D422C745 027BE178 D9E43920

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#crypto pki en                       
r1(config)#crypto pki enroll 202.1.100.102
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:                                        password是CA主页上的验证码
Re-enter password:

% The subject name in the certificate will include: cn=r2 ou=cisco i=zhengzhou
% The subject name in the certificate will include: r1.liang.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 00000000
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The show crypto ca certificate 202.1.100.102 verbose command will show the fingerprint.

r1(config)#
May 18 18:17:14.655: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: D08E0D15 6458B730 80F420E7 50C7674C
May 18 18:17:14.659: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 29F834C3 0C394456 D8149A94 312C9D1A 222F0802
r1(config)#
May 18 18:17:15.999: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: AAF76201 20AB21BB F9A95518 ECBD7173
May 18 18:17:16.007: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 68D2A55C 39E71321 DDF2E5DD 913B2D56 B5F579D2
r1(config)#
May 18 18:18:30.399: %PKI-6-CERTRET: Certificate received from Certificate Authority
r1(config)#
May 18 18:18:42.011: %PKI-6-CERTRET: Certificate received from Certificate Authority

假如验证码不对

r3(config)#crypto pki enroll 202.1.100.102
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: cn=r3 ou=nongda
% The subject name in the certificate will include: r3.liang.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The show crypto ca certificate 202.1.100.102 verbose command will show the fingerprint.

r3(config)#
May 18 18:10:24.230: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 3DAD7EC7 79B03CA2 562BDF92 28D9F25A
May 18 18:10:24.234: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 72CBA0CB 1B060C8A EF95B12A 36BCAB99 5065E107
r3(config)#
May 18 18:10:25.582: CRYPTO_PKI: Encryption Certificate Request Fingerprint MD5: F0FA2EFE 11928FB6 33281E25 D53C1AFF
May 18 18:10:25.586: CRYPTO_PKI: Encryption Certificate Request Fingerprint SHA1: 35ADC86F 3F46A70F A7B5FB0A 8164638E B3BEC32B
r3(config)#
May 18 18:10:27.066: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
May 18  不能被授权的

 

 

 

 

 

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表凯发娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章