PKI server and client configuration example.（pki体系的基本原理）

PKI server and client configuration example.（pki体系的基本原理）

the below article will explain how to configure a PKI server & client on cisco router. The demonstration is done in GNS3.

The below configuration has to be done for PKI server/client work. a. The server is enabled. b. The time is synched via NTP (IMPORTNAT: if the CA server time is ahead of the client, the enrollment will fail.)c. general key pair is generated.d. Domain name is configured. Conguration for Server: R3(config)#crypto pki server ROOT_CAR3(cs-server)#grant ?auto Automatically grant incoming SCEP enrollment requestsnone Automatically reject any incoming SCEP enrollment requestra-auto Automatically grant RA-authorized incoming SCEP enrollment request

R3(cs-server)#grant autoR3(cs-server)#lifetime certificate ?<0-7305> Lifetime in days

R3(cs-server)#lifetime certificate 365

R3(cs-server)#issuer-name ?LINE Issuer name

R3(cs-server)#issuer-name CN=R3.ine.com

R3(config)#ip domain name ine.com

R3(config)#do sh run | s pkicrypto pki server ROOT_CAno database archiveissuer-name CN=R3.ine.comgrant autoshutdown

R3(config)#crypto pki server ROOT_CAR3(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.% Please enter a passphrase to protect the private key% or type Return to exitPassword:% Password must be more than 7 characters. Try again% or type Return to exitPassword:% Password must be more than 7 characters. Try again% or type Return to exitPassword:

Re-enter password:% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 0 seconds)

R3#sh crypto pki certificatesCA CertificateStatus: AvailableCertificate Serial Number (hex): 01Certificate Usage: SignatureIssuer:cn=R3.ine.comSubject:cn=R3.ine.comValidity Date:start date: 06:25:29 UTC Jun 4 2018end date: 06:25:29 UTC Jun 3 2021Associated Trustpoints: ROOT_CA

R3# sh crypto pki serverCertificate Server ROOT_CA: Status: disabled, HTTP Server is disabled !-- is disabled State: check failedServer's configuration is locked (enter "shut" to unlock it)Issuer name: CN=R3.ine.comCA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53Granting mode is: autoLast certificate issued serial number (hex): 1CA certificate expiration timer: 06:25:29 UTC Jun 3 2021CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018Current primary storage dir: nvram:Database Level: Minimum - no cert data written to storage

R3(config)#ip server

R3#sh crypto pki serverCertificate Server ROOT_CA:Status: enabledState: enabledServer's configuration is locked (enter "shut" to unlock it)Issuer name: CN=R3.ine.comCA cert fingerprint: 36C67C4E 680217D5 46685CD3 D156DB53Granting mode is: autoLast certificate issued serial number (hex): 1CA certificate expiration timer: 06:25:29 UTC Jun 3 2021CRL NextUpdate timer: 12:25:29 UTC Jun 4 2018Current primary storage dir: nvram:Database Level: Minimum - no cert data written to storage

===============================================

Configuration for client:

R1(config)#crypt pki trustpoint R3

R1(ca-trustpoint)#enrollment url key generate rsa general-keys label IPSEC_PKI modulus 1024

R1#sh crypto key mypubkey Rsa% Key pair was generated at: 06:41:08 UTC Jun 4 2018Key name: IPSEC_PKIKey type: RSA KEYSStorage Device: not specifiedUsage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008E0C3C710703FC 85305724 AE36BEF7 B2BB2B9C C476C1B9 6C9E0EDB D6EB46CE AE288D33C43FC774 3A3645F0 548BBAB1 13276648 5A48CE5F 80C22F0D 86AAD257 FECEA51BEA02C095 D75A6D27 4800904C FBCCFB0F 09BF0818 E0D80746 23828207 7CEE568A97DF1877 51775C35 21CC2748 FEB0CBFD 32F053EF 40F9F684 46664934 29020301 0001% Key pair was generated at: 06:41:09 UTC Jun 4 2018Key name: IPSEC_PKI.serverKey type: RSA KEYSTemporary keyUsage: Encryption KeyKey is not exportable.Key Data:307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A04028 2F345565E9F379E3 27450DBC 5DF5306B 936966B0 CEABA54B 4F562A3A 0EE94A5A 2E5AE90EAB61B02F 5D2C7E51 F42D2349 D79244B7 879F0A01 9A422745 8A791F4D 0EF83123B26D4AB1 289D15E8 11791DCB 93C6FBF5 F29FE47A F25F9A54 FB020301 0001

R1# sh run | s pkicrypto pki trustpoint R3enrollment url crl !-- This is a lab environment, it is changed to NONE.

R1(config)#crypto pki trustpoint R3R1(ca-trustpoint)#revocation-check noneR1(ca-trustpoint)#rsakeypair IPSEC_PKI

DEBUGGING

R1#debug crypto pki transactionsCrypto PKI Trans debugging is onR3#debug crypto pki serverCrypto PKI Certificate Server debugging is on

R1(config)#crypto pki authenticate R3Certificate has the following attributes:Fingerprint MD5: 36C67C4E 680217D5 46685CD3 D156DB53Fingerprint SHA1: 6679D074 81BDD9AF 948D8C98 2A1B3673 B586372A

% Do you accept this certificate? [yes/no]:*Jun 4 06:49:42.534: CRYPTO_PKI: Sending CA Certificate Request:GET /cgi-bin/pkiclient.exe?operation=GetCACert&message=R3 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)Host: 150.1.3.3

Jun 4 06:49:42.534: CRYPTO_PKI: locked trustpoint R3, refcount is 1Jun 4 06:49:42.535: CRYPTO_PKI: connection opened*Jun 4 06:49:42.535: CRYPTO_PKI: Sending HTTP message

*Jun 4 06:49:42.535: CRYPTO_PKI: Reply HTTP header:HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)Host: 150.1.3.3

Jun 4 06:49:42.537: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0Jun 4 06:49:42.537: CRYPTO_PKI: locked trustpoint R3, refcount is 1Jun 4 06:49:42.550: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0Jun 4 06:49:42.550: CRYPTO_PKI: Reply HTTP header:HTTP/1.1 200 OKDate: Mon, 04 Jun 2018 06:49:42 GMTServer: cisco-IOSContent-Type: application/x-x509-ca-certExpires: Mon, 04 Jun 2018 06:49:42 GMTLast-Modified: Mon, 04 Jun 2018 06:49:42 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccept-Ranges: none

Content-Type indicates we have received a CA certificate.

Jun 4 06:49:42.551: Received 519 bytes from server as CA certificate:Jun 4 06:49:42.551: CRYPTO_PKI_SCEP: Client Sending GetCACaps requestJun 4 06:49:42.551: CRYPTO_PKI: locked trustpoint R3, refcount is 1Jun 4 06:49:42.552: CRYPTO_PKI: connection opened*Jun 4 06:49:42.552: CRYPTO_PKI: Sending HTTP message

*Jun 4 06:49:42.552: CRYPTO_PKI: Reply HTTP header:HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)Host: 150.1.3.3

Jun 4 06:49:42.553: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0Jun 4 06:49:42.553: CRYPTO_PKI: locked trustpoint R3, refcount is 1Jun 4 06:49:42.564: CRYPTO_PKI: unlocked trustpoint R3, refcount is 0Jun 4 06:49:42.564: CRYPTO_PKI: Reply HTTP header:HTTP/1.1 200 OKDate: Mon, 04 Jun 2018 06:49:42 GMTServer: cisco-IOSContent-Type: application/x-pki-messageExpires: Mon, 04 Jun 2018 06:49:42 GMTLast-Modified: Mon, 04 Jun 2018 06:49:42 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccept-Ranges: none

CA_CAP_GET_NEXT_CA_CERT CA_CAP_RENEWAL CA_CAP_SHA_1 CA_CAP_SHA_256 CA_CAP_SHA_384 CA_CAP_SHA_512Jun 4 06:49:42.564: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completedJun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.*Jun 4 06:49:42.564: CRYPTO_PKI: CA certificate received.

*Jun 4 06:49:42.565: CRYPTO_PKI: crypto_pki_authenticate_tp_cert()

*Jun 4 06:49:42.565: CRYPTO_PKI: trustpoint R3 authentication status = 0

% Please answer 'yes' or 'no'.

% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.

R1(config)#crypto pki enroll R3%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.

Password:Re-enter password:

% The subject name in the certificate will include: R1.ine.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 2048012% Include an IP address in the subject name? [no]: yesEnter Interface name or IP Address[]: 150.1.1.1Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto pki certificate verbose R3' commandwill show the fingerprint.

R3(config)#Jun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS received SCEP GetCACert requestJun 4 06:49:42.542: CRYPTO_PKI_SCEP: CS sending CA certificateJun 4 06:49:42.544: CRYPTO_CS: CA certificate sentJun 4 06:49:42.561: CRYPTO_PKI_SCEP: CS received GetCACaps requestJun 4 06:49:42.561: CRYPTO_PKI_SCEP: CA sending list of capabilites (GetNextCACert Renewal SHA2 hashes)Jun 4 06:49:42.562: CRYPTO_CS: Capabilities sentR3(config)#Jun 4 06:53:08.454: CRYPTO_PKI_SCEP: CS received PKIOperation requestJun 4 06:53:08.454: CRYPTO_CS: processing SCEP request, 2121 bytesJun 4 06:53:08.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1Jun 4 06:53:08.460: CRYPTO_CS: scep msg type - 19Jun 4 06:53:08.460: CRYPTO_CS: trans id - E98E01D5675545C286BA0F7719D0A62CJun 4 06:53:08.464: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1Jun 4 06:53:08.464: CRYPTO_CS: received an enrollment requestJun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to trans id E98E01D5675545C286BA0F7719D0A62CJun 4 06:53:08.464: CRYPTO_CS: Enrollment password (challenge) obtained from pkcs10 message is cisco123Jun 4 06:53:08.464: CRYPTO_CS: No enrollment request in the erdbase corresponding to challenge cisco123Jun 4 06:53:08.464: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to enrollment password cisco123Jun 4 06:53:08.464: CRYPTO_CS: cert which signed the enrollment request is not an RA certJun 4 06:53:08.464: CRYPTO_CS: checking policy for enrollment request ID=1Jun 4 06:53:08.464: CRYPTO_CS: request has been authorized, transaction id=E98E01D5675545C286BA0F7719D0A62CJun 4 06:53:08.464: CRYPTO_CS: locking the CSJun 4 06:53:08.464: CRYPTO_CS: added key usage extension*Jun 4 06:53:08.464: CRYPTO_CS: Validity: 06:53:08 UTC Jun 4 2018-06:53:08 UTC Jun 4 2019

Jun 4 06:53:08.468: CRYPTO_CS: writing serial number 0x2.Jun 4 06:53:08.468: CRYPTO_CS: file opened: nvram:ROOT_CA.serJun 4 06:53:08.468: CRYPTO_CS: Writing 32 bytes to ser fileJun 4 06:53:08.468: CRYPTO_CS: reqID=1 granted, fingerprint=BJun 4 06:53:08.468: CRYPTO_CS: unlocking the CSJun 4 06:53:08.468: CRYPTO_PKI_SCEP: CS Sending CertRep Response - GRANTED(E98E01D5675545C286BA0F7719D0A62C)Jun 4 06:53:08.468: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1R3(config)#Jun 4 06:53:08.478: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1*Jun 4 06:53:08.482: CRYPTO_CS: Certificate generated and sent to requestor

R1(config)#do sh crypto pki certificatesCertificateStatus: AvailableCertificate Serial Number (hex): 02Certificate Usage: General PurposeIssuer:cn=R3.ine.comSubject:Name: R1.ine.comIP Address: 150.1.1.1Serial Number: 2048012serialNumber=2048012+ipaddress=150.1.1.1+hostname=R1.ine.comValidity Date:start date: 06:53:08 UTC Jun 4 2018end date: 06:53:08 UTC Jun 4 2019Associated Trustpoints: R3

CA CertificateStatus: AvailableCertificate Serial Number (hex): 01Certificate Usage: SignatureIssuer:cn=R3.ine.comSubject:cn=R3.ine.comValidity Date:start date: 06:25:29 UTC Jun 4 2018end date: 06:25:29 UTC Jun 3 2021Associated Trustpoints: R3

The below enrollment is done on a ASA, because the CA server time is ahead of ASA system time, the enrollment failed.

asa1/act/pri(config)# crypto ca enroll R3%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: ****Re-enter password: ****

% The fully-qualified domain name in the certificate will be: asa1.ine.com

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 9APW6PPKHC0

Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authorityasa1/act/pri(config)#Certificate is not valid yet.The certificate enrollment request failed!%ASA-3-717002: Certificate enrollment failed for trustpoint R3. Reason: Generic request failure.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。