取消
显示结果 
搜索替代 
您的意思是: 
cancel
5854
查看次数
12
有帮助
8
评论
wuhao0015
Spotlight
Spotlight
这个是我之前操作的一个笔记,现在分享给需要的人。可以结合SSLVPN,解决连接证书报错的问题。
第一步:生成RSA,注意长度为2048。
crypto key generate rsa modulus 2048 label nj-home.iteachs.com
查看RSA密钥:
NJ-Home-C892#show crypto key mypubkey rsa
% Key pair was generated at: 11:22:49 BJ Feb 3 2016
Key name: nj-home.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EAB433
3FDA0313 8653705E 0F1C85CC 885A2979 D58D45CB 2B3B6A65 21E69450 59E32AA2
AC202D8A 20EF3572 71C3A098 4D2AC5A2 613244DC 02C53395 4D547659 2A4F39E0
9C09FC86 4E3B2217 00B3F6F0 CE470A8C CB5DFC1C E8DD9307 2C66063E C979746F
D456B97D E5F681E2 1C0BC37B 97D4D46E 29379A91 D78D276B 3A9C126E 7F020301 0001
% Key pair was generated at: 22:20:55 BJ Feb 16 2016
Key name: nj-home.iteachs.com.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C754A8 F765B4F8
E5AB3131 483E80BB 8E7F1D3B 1B59F9E3 7E8230EC 19053E2E 66993153 3E456A0E
D8E4BB04 F03A536A 88CCBCEE 58E0658E 9CF55648 3B6DE2AB 4344D1B6 7A22EEFD
3ED143E6 F0303690 E09C4365 5DE14CE4 BDA8F8E6 5B20C7DD DF020301 0001
NJ-Home-C892#
第二步:配置信任点。
crypto pki trustpoint nj-home.iteachs.com
enrollment terminal
serial-number none
subject-name cn=nj-home.iteachs.com, o=iteachs.com, ou=home, c=cn, l=Nanjing
revocation-check none
rsakeypair nj-home.iteachs.com
第三步:生成CSR。
NJ-Home-C892(config)#crypto pki enroll nj-home.iteachs.com
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=nj-home.iteachs.com, o=iteachs.com, ou=home, c=cn, l=Nanjing
% The subject name in the certificate will include: nj-home.iteachs.com
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIC7jCCAdYCAQAwgYcxEDAOBgNVBAcTB05hbmppbmcxCzAJBgNVBAYTAmNuMQ0w
CwYDVQQLEwRob21lMRQwEgYDVQQKEwtpdGVhY2hzLmNvbTEcMBoGA1UEAxMTbmot
aG9tZS5pdGVhY2hzLmNvbTEjMCEGCSqGSIb3DQEJAhYUbmotaG9tZS5pdGVhY2hz
LmNvbSAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxp6nbz9jHcxL6
OrPb3XwPatzIbkqNZULqwJCzSACM5d3kp5yZQfjD+B0FAHetALd2yLWrgHh+0L6h
5PiFfUJ75962qANlZGYPWg9FDYC8FIBxF1IHYqZpE9r8z5ZonCFYFy1nB/r7sF76
2gUYep4AcYnGTXC/Ro5D+uB9bfRZxM9jHNRzsVBH+B4m9ubTlOHMCMFKEQyN+Zc3
nAqORP7xMpz0subXlfxpkPL5EqbTHMFL8prWarbYmtDEpbbTkG/5cm4oCMnwXc8h
ErfNKjicekENsjPVUxkxWgj1++Ngo4mmzs7zpEOYd3o8dkEuNeFdRKZ7HM9SIuox
BmjEkmGbAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIFoDAN
BgkqhkiG9w0BAQUFAAOCAQEAHq8NEng2qpUhTCwuHILDnm781wHdg+PdbNWEx9sL
TFL+NrXNg0heVlUes1N+6S1JajfPMgnQKAJwGn+BBl9oCUxMvkpyz5XliSueashU
z+x8KdERhXeaSJajCRvxe8KywGxB45jbTS1bxo2UblApfUEgtV7V8UXoQ6TdhO1K
bJsWC835UJEUVItOefYYsP3mAmaoKsrUlNdkXCPvwNbeSutomjXUOIYkc0T/zIOT
eP0wmIWj8hVRikPbOxZ3po7MLCyqbFfQPG3niQG6syZnw01BrV9qaamM0qcoIByM
BVSh/OuCzH/SGSJV3xq1F7GkQfuoykZPELses1DR/nN8cA==
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]:
第四步:使用CSR申请证书
过程略。
第五步:下载申请的根证书和个人证书(MS-CA或者沃申免费的)
过程略。
第六步:导入根证书(子根证书)
NJ-Home-C892(config)#crypto pki authenticate nj-home.iteachs.com
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIFrDCCA5SgAwIBAgIQOPZFweJdkSzOOys5EjF0DTANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIUNlcnRpZmljYXRpb24gQXV0aG9yaXR5IG9mIFdvU2lnbjAeFw0xNDExMDgw
MDU4NThaFw0yOTExMDgwMDU4NThaMFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFX
b1NpZ24gQ0EgTGltaXRlZDEqMCgGA1UEAxMhV29TaWduIENBIEZyZWUgU1NMIENl
cnRpZmljYXRlIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA47SA
DmswUIIvH+edv/h8QiXtrmHE64aHI38RH8CTXxuSkB53jLx29/sKpdV9rNxLGNhY
Lt9GazQPRWRghMLrmg5R1CpUUT4nO2Rohm98awA8mfZMqEUnraXLKzftWcNSTE/e
NJzyt9H6WMvlYp5VRly3xY04JDXvlyx8ZRAN75+XCNXlsxJ6kt3+iA+PpK+9xdY2
90Eb6Fndhv81v+3k0aCTblGomcvf3b5xiMPasWXMe5XEZo++TgZ/m1OMazzOlyaC
Hxcwuj/I3swLobTvEj2Tywgw5xqYl4A6JoSP/nN0lVMPUbKqiVf0lkByEx3kZ5hO
j8ZAC/UdDEUt4NWSgwIDAQABo4IBdjCCAXIwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDAG
A1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmxzMS53b3NpZ24uY29tL2NhMS5jcmww
cgYIKwYBBQUHAQEEZjBkMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcDEud29zaWdu
LmNvbS9jYTEwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWExLndvc2lnbi5jb20vY2Ex
ZzItc2VydmVyMS1mcmVlLmNlcjAdBgNVHQ4EFgQU0qcWIHyv2ZWe60MKGfLguXQO
qMcwHwYDVR0jBBgwFoAU4WbPDtHxs0u3BiAU/ocS1fb++z4wRwYDVR0gBEAwPjA8
Bg0rBgEEAYKbUQYBAgIBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWdu
LmNvbS9wb2xpY3kvMA0GCSqGSIb3DQEBCwUAA4ICAQCWWt+WkRdokF0vtDIVgAMD
C+kct3Ns2qj6lN3dPjQrLoCTbPqmZ9MbeoJBzp7/P++yg2qe/DL9RPOCZqrPRC+z
N0HweRLjAieGSJK+z1bXy9fnHiWdQdsK5zMSWK2V2J7Ut5Upuv7/34Ckd1sVYg9p
+IdtdOqFonZdn5UuA7yK+YqsgWRQ8gtFS+yXMDl05ad+FiRiK1DxXNhPzS6iGCWj
zvYfYN0V3iAVGw5/r4XZQKwHKjTdUbAaqOYOn1/bRnDm9dklHPAd5UKhLSKdbhHJ
jaZlvA6qdnPIVmAv+z+GuaX1M+/VEx9JTDgHnlkiWsdO2SUkulNw/GMqVFHrw0tB
feToPCyldlq/2UyoDa5SbqVdmD1skG14H8NwlYYHP1Tj6oqBZGKajzGveyp+kiLD
jsxTrMecmRErSD9ScStuwOGzCuUDYteJGChMCo0/C0WJgYuIpJPCf0TlHltAAPwv
zDv4ankx/UQUto9IhUyrCp27Nwr8URng/llqO49gYqcHgq8IZqDy2mAC6tg0fldx
obX+adf73Vqc8//E6s10+pRw01iSzq8S5G7r3bivHeJl1EbqCz7jaA4KTCeDUJEG
xnv4+psm7SwOZ7hs5SyYbV96KMOEPAMN9+ID4ZTCWCf4TYFZL/F8YclXXb3cnIDQ
ZN98h3iF5pSLcIsFR+TIew==
-----END CERTIFICATE-----
quit
Trustpoint 'nj-home.iteachs.com' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: F3C9B96C 6DB39091 A183E334 9CA2FAD9
Fingerprint SHA1: F4DB6D02 81F204D3 6E2D2FBF A72F7940 ED9D1ADC
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
NJ-Home-C892(config)#
第七步:导入个人证书
NJ-Home-C892(config)#crypto pki import nj-home.iteachs.com certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQUgFKaZSIw/3dC3OXc71UCTANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIVdvU2lnbiBDQSBGcmVlIFNTTCBDZXJ0aWZpY2F0ZSBHMjAeFw0xNjAyMTcw
ODA5MDBaFw0xODAyMTcwODA5MDBaMB4xHDAaBgNVBAMME25qLWhvbWUuaXRlYWNo
cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxp6nbz9jHcxL6
OrPb3XwPatzIbkqNZULqwJCzSACM5d3kp5yZQfjD+B0FAHetALd2yLWrgHh+0L6h
5PiFfUJ75962qANlZGYPWg9FDYC8FIBxF1IHYqZpE9r8z5ZonCFYFy1nB/r7sF76
2gUYep4AcYnGTXC/Ro5D+uB9bfRZxM9jHNRzsVBH+B4m9ubTlOHMCMFKEQyN+Zc3
nAqORP7xMpz0subXlfxpkPL5EqbTHMFL8prWarbYmtDEpbbTkG/5cm4oCMnwXc8h
ErfNKjicekENsjPVUxkxWgj1++Ngo4mmzs7zpEOYd3o8dkEuNeFdRKZ7HM9SIuox
BmjEkmGbAgMBAAGjggGvMIIBqzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCrRhrnQj3r8
31WiHl+K72X/1ALmMB8GA1UdIwQYMBaAFNKnFiB8r9mVnutDChny4Ll0DqjHMH0G
CCsGAQUFBwEBBHEwbzA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AxLndvc2lnbi5j
b20vY2E2L3NlcnZlcjEvZnJlZTA3BggrBgEFBQcwAoYraHR0cDovL2FpYTEud29z
aWduLmNvbS9jYTYuc2VydmVyMS5mcmVlLmNlcjA9BgNVHR8ENjA0MDKgMKAuhixo
dHRwOi8vY3JsczEud29zaWduLmNvbS9jYTYtc2VydmVyMS1mcmVlLmNybDAeBgNV
HREEFzAVghNuai1ob21lLml0ZWFjaHMuY29tMFEGA1UdIARKMEgwCAYGZ4EMAQIB
MDwGDSsGAQQBgptRBgECAgEwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy53b3Np
Z24uY29tL3BvbGljeS8wDQYJKoZIhvcNAQELBQADggEBAKJwJ6Gd47NkI33l1/Fy
Q8FNiNhYE0Ic0hWrI0i+tESvmDOT81RwzN3+sZfhEcv7/qYzk7C3pMf6qkr92o0M
1aPQORjDhHuBvslJD8NbZrsgu/t05acurALxKNdK4kch3rv49Gg8fZ1DcbUfD25t
i6MBWe1Txe6pyBGODbUCAZTf3G6shAcSfrC7bvfcZNiwe80/KEeRe61cSk/+jWSl
NRl67r9gyOQzzcnakTvCg5cRq+fVf1DusNveSlAyWd3+ljA7PFmGhppXWRSerzfU
KZAXRSsWO6hiQ51+sqwpUDqGceVElX0igonmLI0s6x8DTMtftTudqmpiFWxY6zuA
bvE=
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported
NJ-Home-C892(config)#
查看导入的证书:
NJ-Home-C892#show crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 52014A699488C3FDDD0B739773BD5409
Certificate Usage: General Purpose
Issuer:
cn=WoSign CA Free SSL Certificate G2
o=WoSign CA Limited
c=CN
Subject:
Name: nj-home.iteachs.com
cn=nj-home.iteachs.com
CRL Distribution Points:
http://crls1.wosign.com/ca6-server1-free.crl
Validity Date:
start date: 16:09:00 BJ Feb 17 2016
end date: 16:09:00 BJ Feb 17 2018
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: DABFAE33 26FF86E0 AF29E86C 1C71B427
Fingerprint SHA1: F18592E0 99786D61 B4CE64F4 40370C14 D9923C81
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 2AD186B9 D08F7AFC DF55A21E 5F8AEF65 FFD402E6
X509v3 Basic Constraints:
CA: FALSE
X509v3 Subject Alternative Name:
nj-home.iteachs.com
X509v3 Authority Key ID: D2A71620 7CAFD995 9EEB430A 19F2E0B9 740EA8C7
Authority Info Access:
OCSP URL: http://ocsp1.wosign.com/ca6/server1/free
X509v3 CertificatePolicies:
Policy: 1.3.6.1.4.1.36305.6.1.2.2.1
Qualifier ID: 1.3.6.1.5.5.7.2.1
Qualifier Info: http://www.wosign.com/policy/
Policy: 2.23.140.1.2.1
Associated Trustpoints: nj-home.iteachs.com
Key Label: nj-home.iteachs.com
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 38F645C1E25D912CCE3B2B391231740D
Certificate Usage: Signature
Issuer:
cn=Certification Authority of WoSign
o=WoSign CA Limited
c=CN
Subject:
cn=WoSign CA Free SSL Certificate G2
o=WoSign CA Limited
c=CN
CRL Distribution Points:
http://crls1.wosign.com/ca1.crl
Validity Date:
start date: 08:58:58 BJ Nov 8 2014
end date: 08:58:58 BJ Nov 8 2029
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: F3C9B96C 6DB39091 A183E334 9CA2FAD9
Fingerprint SHA1: F4DB6D02 81F204D3 6E2D2FBF A72F7940 ED9D1ADC
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: D2A71620 7CAFD995 9EEB430A 19F2E0B9 740EA8C7
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: E166CF0E D1F1B34B B7062014 FE8712D5 F6FEFB3E
Authority Info Access:
OCSP URL: http://ocsp1.wosign.com/ca1
X509v3 CertificatePolicies:
Policy: 1.3.6.1.4.1.36305.6.1.2.2.1
Qualifier ID: 1.3.6.1.5.5.7.2.1
Qualifier Info: http://www.wosign.com/policy/
Associated Trustpoints: nj-home.iteachs.com
第八步:测试
webvpn gateway iteachs.com
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint nj-home.iteachs.com
inservice
评论
one-time
Level 13
Level 13
感谢楼主的详细分享,谢谢~
34369441
Level 1
Level 1
感谢分享:)
18653465190
Spotlight
Spotlight
感谢楼主的详细分享,谢谢
fortune
VIP Alumni
VIP Alumni
谢谢分享,学习了!
moxiuli
Level 9
Level 9
可操作性强。赞分享
leathy001
Level 1
Level 1
大牛,请问一下个人证书是从哪里获取?我申请了一个CA,看起来只有一个根证书
wuhao0015
Spotlight
Spotlight
lucasss 发表于 2019-6-4 09:13
大牛,请问一下个人证书是从哪里获取?我申请了一个CA,看起来只有一个根证书

只有CA根证书是不行的,你需要向权威的CA机构申请个人证书。这个CA你可以使用自建、免费或者收费的服务。具体相关的细则你需要查询相关的资料。
帖子中的以前就是使用免费3年的服务,现在已经不提供服务了。
wuping26936
Level 1
Level 1
这种方式是在设备上面建信任点再创建CSR 有没有一种办法,直接外部申请好的证书,直接导入到设备里面呢,楼主可否提供一下外部已经申请好的证书导入到备份里面的方法。谢谢
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接