请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

  思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 208|回复: 3

【原创】CISCO IOS申请沃通PKI证书

[复制链接]
发表于 2019-1-8 21:34:20 | 显示全部楼层 |阅读模式
这个是我之前操作的一个笔记,现在分享给需要的人。可以结合SSLVPN,解决连接证书报错的问题。

第一步:生成RSA,注意长度为2048。
crypto key generate rsa modulus 2048 label nj-home.iteachs.com

查看RSA密钥:
NJ-Home-C892#show crypto key mypubkey rsa
% Key pair was generated at: 11:22:49 BJ Feb 3 2016
Key name: nj-home.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EAB433
  3FDA0313 8653705E 0F1C85CC 885A2979 D58D45CB 2B3B6A65 21E69450 59E32AA2
  AC202D8A 20EF3572 71C3A098 4D2AC5A2 613244DC 02C53395 4D547659 2A4F39E0
  9C09FC86 4E3B2217 00B3F6F0 CE470A8C CB5DFC1C E8DD9307 2C66063E C979746F
  D456B97D E5F681E2 1C0BC37B 97D4D46E 29379A91 D78D276B 3A9C126E 7F020301 0001
% Key pair was generated at: 22:20:55 BJ Feb 16 2016
Key name: nj-home.iteachs.com.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C754A8 F765B4F8
  E5AB3131 483E80BB 8E7F1D3B 1B59F9E3 7E8230EC 19053E2E 66993153 3E456A0E
  D8E4BB04 F03A536A 88CCBCEE 58E0658E 9CF55648 3B6DE2AB 4344D1B6 7A22EEFD
  3ED143E6 F0303690 E09C4365 5DE14CE4 BDA8F8E6 5B20C7DD DF020301 0001
NJ-Home-C892#

第二步:配置信任点。
crypto pki trustpoint nj-home.iteachs.com
enrollment terminal
serial-number none
subject-name cn=nj-home.iteachs.com, o=iteachs.com, ou=home, c=cn, l=Nanjing
revocation-check none
rsakeypair nj-home.iteachs.com

第三步:生成CSR。
NJ-Home-C892(config)#crypto pki enroll nj-home.iteachs.com                        
% Start certificate enrollment ..

% The subject name in the certificate will include: cn=nj-home.iteachs.com, o=iteachs.com, ou=home, c=cn, l=Nanjing
% The subject name in the certificate will include: nj-home.iteachs.com
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIC7jCCAdYCAQAwgYcxEDAOBgNVBAcTB05hbmppbmcxCzAJBgNVBAYTAmNuMQ0w
CwYDVQQLEwRob21lMRQwEgYDVQQKEwtpdGVhY2hzLmNvbTEcMBoGA1UEAxMTbmot
aG9tZS5pdGVhY2hzLmNvbTEjMCEGCSqGSIb3DQEJAhYUbmotaG9tZS5pdGVhY2hz
LmNvbSAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxp6nbz9jHcxL6
OrPb3XwPatzIbkqNZULqwJCzSACM5d3kp5yZQfjD+B0FAHetALd2yLWrgHh+0L6h
5PiFfUJ75962qANlZGYPWg9FDYC8FIBxF1IHYqZpE9r8z5ZonCFYFy1nB/r7sF76
2gUYep4AcYnGTXC/Ro5D+uB9bfRZxM9jHNRzsVBH+B4m9ubTlOHMCMFKEQyN+Zc3
nAqORP7xMpz0subXlfxpkPL5EqbTHMFL8prWarbYmtDEpbbTkG/5cm4oCMnwXc8h
ErfNKjicekENsjPVUxkxWgj1++Ngo4mmzs7zpEOYd3o8dkEuNeFdRKZ7HM9SIuox
BmjEkmGbAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIFoDAN
BgkqhkiG9w0BAQUFAAOCAQEAHq8NEng2qpUhTCwuHILDnm781wHdg+PdbNWEx9sL
TFL+NrXNg0heVlUes1N+6S1JajfPMgnQKAJwGn+BBl9oCUxMvkpyz5XliSueashU
z+x8KdERhXeaSJajCRvxe8KywGxB45jbTS1bxo2UblApfUEgtV7V8UXoQ6TdhO1K
bJsWC835UJEUVItOefYYsP3mAmaoKsrUlNdkXCPvwNbeSutomjXUOIYkc0T/zIOT
eP0wmIWj8hVRikPbOxZ3po7MLCyqbFfQPG3niQG6syZnw01BrV9qaamM0qcoIByM
BVSh/OuCzH/SGSJV3xq1F7GkQfuoykZPELses1DR/nN8cA==

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]:

第四步:使用CSR申请证书
过程略。

第五步:下载申请的根证书和个人证书(MS-CA或者沃申免费的)
过程略。

第六步:导入根证书(子根证书)

NJ-Home-C892(config)#crypto pki authenticate nj-home.iteachs.com

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIFrDCCA5SgAwIBAgIQOPZFweJdkSzOOys5EjF0DTANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIUNlcnRpZmljYXRpb24gQXV0aG9yaXR5IG9mIFdvU2lnbjAeFw0xNDExMDgw
MDU4NThaFw0yOTExMDgwMDU4NThaMFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFX
b1NpZ24gQ0EgTGltaXRlZDEqMCgGA1UEAxMhV29TaWduIENBIEZyZWUgU1NMIENl
cnRpZmljYXRlIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA47SA
DmswUIIvH+edv/h8QiXtrmHE64aHI38RH8CTXxuSkB53jLx29/sKpdV9rNxLGNhY
Lt9GazQPRWRghMLrmg5R1CpUUT4nO2Rohm98awA8mfZMqEUnraXLKzftWcNSTE/e
NJzyt9H6WMvlYp5VRly3xY04JDXvlyx8ZRAN75+XCNXlsxJ6kt3+iA+PpK+9xdY2
90Eb6Fndhv81v+3k0aCTblGomcvf3b5xiMPasWXMe5XEZo++TgZ/m1OMazzOlyaC
Hxcwuj/I3swLobTvEj2Tywgw5xqYl4A6JoSP/nN0lVMPUbKqiVf0lkByEx3kZ5hO
j8ZAC/UdDEUt4NWSgwIDAQABo4IBdjCCAXIwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDAG
A1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmxzMS53b3NpZ24uY29tL2NhMS5jcmww
cgYIKwYBBQUHAQEEZjBkMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcDEud29zaWdu
LmNvbS9jYTEwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWExLndvc2lnbi5jb20vY2Ex
ZzItc2VydmVyMS1mcmVlLmNlcjAdBgNVHQ4EFgQU0qcWIHyv2ZWe60MKGfLguXQO
qMcwHwYDVR0jBBgwFoAU4WbPDtHxs0u3BiAU/ocS1fb++z4wRwYDVR0gBEAwPjA8
Bg0rBgEEAYKbUQYBAgIBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWdu
LmNvbS9wb2xpY3kvMA0GCSqGSIb3DQEBCwUAA4ICAQCWWt+WkRdokF0vtDIVgAMD
C+kct3Ns2qj6lN3dPjQrLoCTbPqmZ9MbeoJBzp7/P++yg2qe/DL9RPOCZqrPRC+z
N0HweRLjAieGSJK+z1bXy9fnHiWdQdsK5zMSWK2V2J7Ut5Upuv7/34Ckd1sVYg9p
+IdtdOqFonZdn5UuA7yK+YqsgWRQ8gtFS+yXMDl05ad+FiRiK1DxXNhPzS6iGCWj
zvYfYN0V3iAVGw5/r4XZQKwHKjTdUbAaqOYOn1/bRnDm9dklHPAd5UKhLSKdbhHJ
jaZlvA6qdnPIVmAv+z+GuaX1M+/VEx9JTDgHnlkiWsdO2SUkulNw/GMqVFHrw0tB
feToPCyldlq/2UyoDa5SbqVdmD1skG14H8NwlYYHP1Tj6oqBZGKajzGveyp+kiLD
jsxTrMecmRErSD9ScStuwOGzCuUDYteJGChMCo0/C0WJgYuIpJPCf0TlHltAAPwv
zDv4ankx/UQUto9IhUyrCp27Nwr8URng/llqO49gYqcHgq8IZqDy2mAC6tg0fldx
obX+adf73Vqc8//E6s10+pRw01iSzq8S5G7r3bivHeJl1EbqCz7jaA4KTCeDUJEG
xnv4+psm7SwOZ7hs5SyYbV96KMOEPAMN9+ID4ZTCWCf4TYFZL/F8YclXXb3cnIDQ
ZN98h3iF5pSLcIsFR+TIew==
-----END CERTIFICATE-----
quit
Trustpoint 'nj-home.iteachs.com' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
       Fingerprint MD5: F3C9B96C 6DB39091 A183E334 9CA2FAD9
      Fingerprint SHA1: F4DB6D02 81F204D3 6E2D2FBF A72F7940 ED9D1ADC

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

NJ-Home-C892(config)#

第七步:导入个人证书

NJ-Home-C892(config)#crypto pki import nj-home.iteachs.com certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQUgFKaZSIw/3dC3OXc71UCTANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIVdvU2lnbiBDQSBGcmVlIFNTTCBDZXJ0aWZpY2F0ZSBHMjAeFw0xNjAyMTcw
ODA5MDBaFw0xODAyMTcwODA5MDBaMB4xHDAaBgNVBAMME25qLWhvbWUuaXRlYWNo
cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxp6nbz9jHcxL6
OrPb3XwPatzIbkqNZULqwJCzSACM5d3kp5yZQfjD+B0FAHetALd2yLWrgHh+0L6h
5PiFfUJ75962qANlZGYPWg9FDYC8FIBxF1IHYqZpE9r8z5ZonCFYFy1nB/r7sF76
2gUYep4AcYnGTXC/Ro5D+uB9bfRZxM9jHNRzsVBH+B4m9ubTlOHMCMFKEQyN+Zc3
nAqORP7xMpz0subXlfxpkPL5EqbTHMFL8prWarbYmtDEpbbTkG/5cm4oCMnwXc8h
ErfNKjicekENsjPVUxkxWgj1++Ngo4mmzs7zpEOYd3o8dkEuNeFdRKZ7HM9SIuox
BmjEkmGbAgMBAAGjggGvMIIBqzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCrRhrnQj3r8
31WiHl+K72X/1ALmMB8GA1UdIwQYMBaAFNKnFiB8r9mVnutDChny4Ll0DqjHMH0G
CCsGAQUFBwEBBHEwbzA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AxLndvc2lnbi5j
b20vY2E2L3NlcnZlcjEvZnJlZTA3BggrBgEFBQcwAoYraHR0cDovL2FpYTEud29z
aWduLmNvbS9jYTYuc2VydmVyMS5mcmVlLmNlcjA9BgNVHR8ENjA0MDKgMKAuhixo
dHRwOi8vY3JsczEud29zaWduLmNvbS9jYTYtc2VydmVyMS1mcmVlLmNybDAeBgNV
HREEFzAVghNuai1ob21lLml0ZWFjaHMuY29tMFEGA1UdIARKMEgwCAYGZ4EMAQIB
MDwGDSsGAQQBgptRBgECAgEwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy53b3Np
Z24uY29tL3BvbGljeS8wDQYJKoZIhvcNAQELBQADggEBAKJwJ6Gd47NkI33l1/Fy
Q8FNiNhYE0Ic0hWrI0i+tESvmDOT81RwzN3+sZfhEcv7/qYzk7C3pMf6qkr92o0M
1aPQORjDhHuBvslJD8NbZrsgu/t05acurALxKNdK4kch3rv49Gg8fZ1DcbUfD25t
i6MBWe1Txe6pyBGODbUCAZTf3G6shAcSfrC7bvfcZNiwe80/KEeRe61cSk/+jWSl
NRl67r9gyOQzzcnakTvCg5cRq+fVf1DusNveSlAyWd3+ljA7PFmGhppXWRSerzfU
KZAXRSsWO6hiQ51+sqwpUDqGceVElX0igonmLI0s6x8DTMtftTudqmpiFWxY6zuA
bvE=
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported

NJ-Home-C892(config)#

查看导入的证书:
NJ-Home-C892#show crypto pki certificates verbose
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 52014A699488C3FDDD0B739773BD5409
  Certificate Usage: General Purpose
  Issuer:
    cn=WoSign CA Free SSL Certificate G2
    o=WoSign CA Limited
    c=CN
  Subject:
    Name: nj-home.iteachs.com
    cn=nj-home.iteachs.com
  CRL Distribution Points:
    http://crls1.wosign.com/ca6-server1-free.crl
  Validity Date:
    start date: 16:09:00 BJ Feb 17 2016
    end   date: 16:09:00 BJ Feb 17 2018
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: DABFAE33 26FF86E0 AF29E86C 1C71B427
  Fingerprint SHA1: F18592E0 99786D61 B4CE64F4 40370C14 D9923C81
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 2AD186B9 D08F7AFC DF55A21E 5F8AEF65 FFD402E6
    X509v3 Basic Constraints:
        CA: FALSE
    X509v3 Subject Alternative Name:
        nj-home.iteachs.com
    X509v3 Authority Key ID: D2A71620 7CAFD995 9EEB430A 19F2E0B9 740EA8C7
    Authority Info Access:
        OCSP URL: http://ocsp1.wosign.com/ca6/server1/free
    X509v3 CertificatePolicies:
        Policy: 1.3.6.1.4.1.36305.6.1.2.2.1
            Qualifier ID: 1.3.6.1.5.5.7.2.1
            Qualifier Info: http://www.wosign.com/policy/
        Policy: 2.23.140.1.2.1
  Associated Trustpoints: nj-home.iteachs.com
  Key Label: nj-home.iteachs.com

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 38F645C1E25D912CCE3B2B391231740D
  Certificate Usage: Signature
  Issuer:
    cn=Certification Authority of WoSign
    o=WoSign CA Limited
    c=CN
  Subject:
    cn=WoSign CA Free SSL Certificate G2
    o=WoSign CA Limited
    c=CN
  CRL Distribution Points:
    http://crls1.wosign.com/ca1.crl
  Validity Date:
    start date: 08:58:58 BJ Nov 8 2014
    end   date: 08:58:58 BJ Nov 8 2029
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: F3C9B96C 6DB39091 A183E334 9CA2FAD9
  Fingerprint SHA1: F4DB6D02 81F204D3 6E2D2FBF A72F7940 ED9D1ADC
  X509v3 extensions:
    X509v3 Key Usage: 6000000
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: D2A71620 7CAFD995 9EEB430A 19F2E0B9 740EA8C7
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: E166CF0E D1F1B34B B7062014 FE8712D5 F6FEFB3E
    Authority Info Access:
        OCSP URL: http://ocsp1.wosign.com/ca1
    X509v3 CertificatePolicies:
        Policy: 1.3.6.1.4.1.36305.6.1.2.2.1
            Qualifier ID: 1.3.6.1.5.5.7.2.1
            Qualifier Info: http://www.wosign.com/policy/
  Associated Trustpoints: nj-home.iteachs.com

第八步:测试
webvpn gateway iteachs.com
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint nj-home.iteachs.com
inservice


  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 4 天前 | 显示全部楼层
感谢楼主的详细分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 3 天前 | 显示全部楼层
感谢分享
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 前天 13:39 | 显示全部楼层
感谢楼主的详细分享,谢谢
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-1-18 02:29 , Processed in 0.092028 second(s), 36 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表