Cấu hình Router thành CA Server
Ta có mô hình bài lab đơn giản như sau
Ta sẽ làm bài này thành hai mục chính là
+ Cấu hình IOS CA Server
+ Cấu hình Router 2 chứng thực với CA Server và xin certificate từ CA
Server
Router>enable
Router#clock set
Router#clock set 9:08:00 16 May 2009
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ca_server
ca_server(config)#crypto key generate rsa general-keys label ca_server modulus 1024 exportable
The name for the keys will be: ca_server
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
ca_server(config)#crypto key export rsa ca_server pe
ca_server(config)#crypto key export rsa ca_server pem ur
ca_server(config)#crypto key export rsa ca_server pem url nvram: 3des cisco123
% Key name: ca_server
Usage: General Purpose Key
Exporting public key...
Destination filename [ca_server.pub]? nvram:ca_server.pub
Writing file to nvram:ca_server.pub
Exporting private key...
Destination filename [ca_server.prv]? nvram:ca_server.prv
Writing file to nvram:ca_server.prv
ca_server(config)#exit
ca_server#dir nvram:
Directory of nvram:/
150 -rw- 0 <no date> startup-config
151 ---- 0 <no date> private-config
1 -rw- 4 <no date> rf_cold_starts
2 -rw- 272 <no date> ca_server.pub
3 -rw- 963 <no date> ca_server.prv
155640 bytes total (152516 bytes free)
ca_server#conf t
ca_server(config)#crypto pki server ca_server
ca_server(cs-server)#database level names
ca_server(cs-server)#database url nvram:
ca_server(cs-server)#issuer-name CN=admin@athena.com L=Ho_Chi_Minh C=VN
ca_server(cs-server)#lifetime crl 24
ca_server(cs-server)#lifetime certificate 254
ca_server(cs-server)#lifetime ca-certificate 508
ca_server(cs-server)#grant auto
ca_server(cs-server)#cdp-url
http://192.168.1.1ca_server(cs-server)#no sh
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:cisco123
Re-enter password:cisco123
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
ca_server(cs-server)#
ca_server#dir nvram:
Directory of nvram:/
150 -rw- 0 <no date> startup-config
151 ---- 0 <no date> private-config
1 -rw- 4 <no date> rf_cold_starts
2 -rw- 272 <no date> ca_server.pub
3 -rw- 963 <no date> ca_server.prv
4 -rw- 32 <no date> ca_server.ser
5 -rw- 95 <no date> 1.cnm
6 -rw- 245 <no date> ca_server.crl
7 -rw- 1691 <no date> ca_server.p12
155640 bytes total (147396 bytes free)
- Kiểm tra cấu hình PKI Server
ca_server#show crypto pki server
Certificate Server ca_server:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=admin@athena.com L=Ho_Chi_Minh C=VN
CA cert fingerprint: 5D3754F6 7A44B91D E58EBC8A 9F37ABF2
Granting mode is: auto
Last certificate issued serial number: 0x2
CA certificate expiration timer: 09:18:27 UTC Oct 6 2010
CRL NextUpdate timer: 09:18:28 UTC May 17 2009
Current storage dir: nvram:
Database Level: Names - subject name data written as <serialnum>.cnm
- Kiểm tra certifcate trên router
ca_server#show crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=admin@athena.com L=Ho_Chi_Minh C=VN
Subject:
cn=admin@athena.com L=Ho_Chi_Minh C=VN
Validity Date:
start date: 09:18:27 UTC May 16 2009
end date: 09:18:27 UTC Oct 6 2010
Associated Trustpoints: ca_server
- Cấu hình Router 2 lấy certificate từ IOS CA Server
Router>enable
Router#clock set 9:34:00 16 May 2009
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#ip domain name athena.com
R2(config)#int fa 0/0
R2(config-if)#ip add 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R2.athena.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R2(config)#
May 16 09:35:38.779: %SSH-5-ENABLED: SSH 1.99 has been enabled
R2(config)#crypto ca trustpoint ca_server
R2(ca-trustpoint)#enrollment mode ra
R2(ca-trustpoint)#enrollment retry count 5
R2(ca-trustpoint)#enrollment retry period 3
R2(ca-trustpoint)#enrollment url
http://192.168.1.1R2(ca-trustpoint)#revocation-check none
R2(ca-trustpoint)#exit
R2(config)#crypto ca authenticate ca_server
Certificate has the following attributes:
Fingerprint MD5: 5D3754F6 7A44B91D E58EBC8A 9F37ABF2
Fingerprint SHA1: D104519F A2F987B3 F136C5E4 8E54785C 1BB0F890
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R2#dir nvram:
Directory of nvram:/
150 -rw- 0 <no date> startup-config
151 ---- 0 <no date> private-config
1 -rw- 4 <no date> rf_cold_starts
155640 bytes total (154564 bytes free)
- Xin certificate từ CA Server
R2(config)#crypto ca enroll ca_server
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R2.athena.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 3B843B84
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate ca_server verbose' command will show the finge
rprint.
R2(config)#
May 16 09:37:34.743: CRYPTO_PKI: Certificate Request Fingerprint MD5: 1EC1BF4B
31907650 16018B4E 71F59819
May 16 09:37:34.751: CRYPTO_PKI: Certificate Request Fingerprint SHA1: FBA0C774
E7D8AB99 E1E9754B 060335F0 8F2E90A9
May 16 09:37:37.395: %PKI-6-CERTRET: Certificate received from Certificate Autho
rity
R2#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=admin@athena.com L=Ho_Chi_Minh C=VN
Subject:
Name: R2.athena.com
Serial Number: 3B843B84
serialNumber=3B843B84+hostname=R2.athena.com
CRL Distribution Points:
http://192.168.1.1Validity Date:
start date: 09:37:44 UTC May 16 2009
end date: 09:37:44 UTC Jan 25 2010
Associated Trustpoints: ca_server
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=admin@athena.com L=Ho_Chi_Minh C=VN
Subject:
cn=admin@athena.com L=Ho_Chi_Minh C=VN
Validity Date:
start date: 09:18:27 UTC May 16 2009
end date: 09:18:27 UTC Oct 6 2010
Associated Trustpoints: ca_server
chúc bạn thành công :!1