最近实验用csr1000v做实验,查看config guide 可以搭建vpn。于是想测试解决一下自签名证书报错的问题,从letsencrypt上签发了一张有效的证书,然后尝试导入到设备上面,提示CA cert is not found,show crypto pki trustpoint 对应的trustpoint也是空白的。查了查cisco的文档,大部分都是设备作为根ca的操作,或者将其关联到ca服务器。对于绑定外部证书的资料几乎没有找到
相关配置信息如下:
crypto pki trustpoint localtrust
enrollment terminal pem
revocation-check crl
!
CSR1000v(config)#
crypto pki import localtrust pkcs12 terminal password passwd321 //在此导入的是p12文件
Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:
MIILuQIBAzCCC38GCSqGSIb3DQEHAaCCC3AEggtsMIILaDCCBh8GCSqGSIb3DQEH
BqCCBhAwggYMAgEAMIIGBQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIp8tO
…………省略部分证书内容…………
SsjPAdgCAggAgIIF2PKxADDYR6khxZLjr22re4ukYSbLkTp8CYIofJK9wqLUe2qZ
jxovEqc+djiDBULygmpfBAgh00qrZNjJwgICCAA=
% Warning: CA cert is not found. The imported certs might not be usable.CRYPTO_PKI: Import PKCS12 operation failed to create trustpoint localtrustCSR1000v(config)#
*Jan 8 11:58:18.581: %PKI-6-PKCS12IMPORT_FAIL: PKCS #12 Import Failed.
CSR1000v(config)#end
CSR1000v#
sh crypto pki trustpoints // 查看trustpoint 仅包含设备自身的,自建的localtrust 没有相关信息
Trustpoint HTTPS_SS_CERT_KEYPAIR:
Subject Name:
serialNumber=9M68NV1D4W3+hostname=CSR1000v.abc.com
cn=CSR1000v.abc.com
Serial Number (hex): 01
Application generated trust point
Trustpoint localtrust:
CSR1000v#
CSR1000v#
sh run | se cryptocrypto pki trustpoint localtrust enrollment terminal pem
revocation-check crl
crypto pki certificate chain localtrust certificate 012645A50C10040FEAAD046C3F2C6F8D
30820577 3082045F A0030201 02021001 2645A50C 10040FEA AD046C3F 2C6F8D30
0D06092A 864886F7 0D01010B 0500306E 310B3009 06035504 06130255 53311530
13060355 040A130C 44696769 43657274 20496E63 31193017 06035504 0B131077
……省略部分输出
求各位大佬指导一下,不胜感激~~