【原创】anyconnect导入数字证书

zylccna2015

*******************************************
1、清空所有密钥对及PKI TRUSTPOINT
(config)#crypto key zeroize rsa
(config)#no crypto pki trustpoint XXX
*******************************************
2、外部链接
在花生壳官网申请顶级域名，包含txt记录，同时对顶级域名打开DDNS服务

设备配置:
!
ip ddns update method oray
HTTP
  add http://xxx:xxx@ddns.oray.com/ph/update?hostname=www.kagamigawa.tech&&myip=
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
interface GigabitEthernet1
description WAN
no ip address
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
!
interface Dialer1
description WAN
ip ddns update hostname www.kagamigawa.tech
ip ddns update oray host ddns.oray.com
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
ppp ipcp route default
!
测试下连通性：
C:\Users\Lenovo>ping www.kagamigawa.tech

正在 Ping www.kagamigawa.tech [49.118.72.197] 具有 32 字节的数据:
来自 49.118.72.197 的回复: 字节=32 时间=89ms TTL=242


没有问题继续

3、为域名申请SSL数字证书
在腾讯云中申请免费的数字签名证书

过程中需要进行DNS验证，回到花生壳中添加一条txt记录

下载已签发的数字证书

解压IIS文件夹中的xxx.pfx文件和keystorePass.txt到桌面然后上传到设备的bootflash:

4、安装及检查证书
(config)crypto pki import VPN pkcs12 bootflash:www.kagamigawa.tech.pfx password xxx

检查pki trustpoints
show crypto pki trustpoints
Trustpoint VPN:
    Subject Name:
    cn=TrustAsia TLS RSA CA
    ou=Domain Validated SSL
    o=TrustAsia Technologies
     Inc.
    c=CN
          Serial Number (hex): 0580267F06F29553348E1C185A5EEE2E
    Certificate configured.


检查根证书
show crypto pki certificates
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 0580267F06F29553348E1C185A5EEE2E
  Certificate Usage: Signature
  Issuer:
    cn=DigiCert Global Root CA
    ou=www.digicert.com
    o=DigiCert Inc
    c=US
  Subject:
    cn=TrustAsia TLS RSA CA
    ou=Domain Validated SSL
    o=TrustAsia Technologies
     Inc.
    c=CN
  CRL Distribution Points:
    http://crl3.digicert.com/DigiCertGlobalRootCA.crl
  Validity Date:
    start date: 20:28:26 CST Dec 8 2017
    end   date: 20:28:26 CST Dec 8 2027
  Associated Trustpoints: VPN
  Storage: nvram:DigiCertGlob#EE2ECA.cer


检查个人证书
show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex):
  Certificate Usage: General Purpose
  Issuer:
    cn=TrustAsia TLS RSA CA
    ou=Domain Validated SSL
    o=TrustAsia Technologies
     Inc.
    c=CN
  Subject:
    Name: www.kagamigawa.tech
    cn=www.kagamigawa.tech
  Validity Date:
    start date:
    end   date:
  Associated Trustpoints: VPN
  Storage: nvram:TrustAsiaTLS#2B90.cer



5、anyconnect 配置
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authentication enable default none
aaa authorization network sslvpn local
!
ip domain name uq

!
username xxx privilege 15 password 7 xxx
!         
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy sslvpn-auth-policy
msie-proxy server 192.168.1.100:8118
pool sslvpn
dns 192.168.0.1
def-domain uq
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint VPN sign
ip interface Dialer1 port 4443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
ip local pool sslvpn 192.168.32.100 192.168.32.254

6、web管理页面挂证书
ip http secure-trustpoint VPN