Demonstration: various network security devices and VPN devices apply for certificates from the Microsoft Certificate Server

Supporting Demo Video: http://edu.51cto.com/course/course_id-485-page-2.html

In many cases, applications with asymmetric encryption are not limited to servers, but also need to be used on network devices, such as SSH, the certificate is the most typical application of asymmetric encryption. It is particularly famous for its IPsec-based VPN applications, such: certificates can be used when configuring VPN based on Cisco IOS, ASA, PIX, and VPN concentrator. Therefore, network devices, especially security devices, may apply for certificates from the certificate server at any time, how to deploy these network devices to apply for a certificate from the Certificate Server is the focus of the task.

Note: This task only demonstrates the process of applying for a certificate from a Cisco network device to a Microsoft Certificate Server, and does not include the complete configuration of the VPN, because it is not within the scope of this course, for more information about how to apply a certificate to a VPN, see the VPN Technology Section of this series of courses.

About the process of applying for a CA for a network device:

3.170 describes the process of applying for a certificate from a vro to a CA:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RWS0-0.png "title =" 1.png"/>

Step 1:First, you must configure a network device. For example, the vro supports CA, and router R1 generates a public/private key pair locally, the instructions used to generate a public/private key pair will be described in the demo section of this task.

Step 2:Before a vro applies for a certificate from a CA, the vro must verify the validity of the CA server. In fact, the vro will obtain a self-issued certificate from the CA server, this self-issued certificate can reflect the identity of the CA and contain the CA's public key, so as to reflect the legitimacy of the CA.

Step 3:The router formally submits a certificate application to the CA. In fact, the operation is that router R1 obtains the public key of the public/private key pair generated in step 1 to the CA for a valid signature, why do we need a legitimate signature? Because: when other network devices such as R2 need to use the R1 public key to encrypt data, R2 must make sure that this public key must belong to R1, instead of a public key belonging to a "villain", the most scientific way for R2 to determine whether the public key belongs to R1 is to check whether the public key has its own signature that trusts the CA. If yes, the public key must be R1, which is the value of the existence of a third-party trust institution.

Step 4:After the Certificate Server CA reviews the Certificate Application of R1, it issues a certificate for R1 and backs up relevant information to its own knowledge base.

Note: during the above process, the public/private key pair is generated locally on the vro, And the CA only verifies the validity of the public key by issuing a certificate, that is to say, the Public Key in the certificate issued by the CA to the router is not generated by the CA, but generated by the router. The CA only recognizes the validity of the certificate.

Practical demonstration: various network security devices and VPN devices apply for certificates from the Microsoft Certificate Server

Demonstration objectives:Configure Cisco router R1 to apply for a certificate from Microsoft's Certificate Server

Demo environment:As shown in figure 3.171.

Demo tool:Cisco router, certificate component based on windows 2003 Server, SCEP plug-in.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RTW2-1.png "title =" 2.png"/>

Demo steps:

Step 1:Configure the communication between router R1 and the Certificate Server. The specific configuration is as follows. Make sure that the certificate server and the router can be pinged to each other. The result is shown in Figure 3.172.

Basic configurations on router R1:

R1 (config) # interfacee1/0 * enters the E1/0 interface configuration mode

R1 (config-if) # ipaddress 192.168.201.2 255.255.0 * configure IP addresses for this interface

R1 (config-if) # noshutdown * activate this interface

R1 (config-if) # exit

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RV029-2.png "title =" 3.png"/>

Step 2:Install the certificate component on the Certificate Server. Before formally installing the certificate component, make sure that the Certificate Server has the IIS component installed, as shown in Figure 3.173, because the router also applies for a certificate in the form of a URL. Then, when formally installing the certificate component, make sure that the independent Root CA is selected as shown in Figure 3.175.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RR2C-3.png "title =" 4.png"/>

Note: When configuring a vro to apply for a certificate from Microsoft's certificate server, it is not enough to install only the certificate components in step 2. You must also install the SCEP plug-in. What is SCEP, why is SCEP plug-in installed?

SCEP (Simple Certificate Enrollment Protocol ):

It is a simple certificate registration protocol jointly developed by Cisco, VerSign, Entrust, Microsoft, and SunMicrosystems. It provides a standard method for managing the certificate lifecycle, the certificate processing function allows devices of different vendors to operate on each other. Therefore, if two devices of different vendors need to operate on each other, you must install the SCEP protocol for the Certificate Server, it is embodied in an independent plug-in.

Step 3:After installing the SCEP protocol, click the SCEP installation package. The prompt shown in 3.175 is displayed. If you want to install the simple certificate registration protocol on the Certificate Server, because the current demo environment is two different vendors operating on the Certificate Service, You must select YES.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RV354-4.png "title =" 5.png"/>

The dialog box shown in Figure 3.176 is displayed. You must select an application identity for the SCEP protocol attached to the certificate server. Select a local system account here. Next, fill in the SCEP Registration Authority (RA) related content in the dialog box in Figure 3.177, and then next, if Advanced EnrollmentOptions is selected ), the content shown in Figure 3.178 indicates the length of the key configured for encryption or data signatures. The default value is 1024 bits. You can adjust the length according to your environment requirements, the longer the number of digits of a key, the higher the Security. Of course, the longer the time it takes to generate a key or encrypt data.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RV607-5.png "title =" 6.png"/>

At the end of SCEP configuration, a prompt is displayed, as shown in Figure 3.179, indicating that the installation is successful. After applying for a certificate for the user, you need to use the URL address of SCEP when registering the certificate. Here, remember this address, because in the subsequent steps, the UEL address will be configured on the router so that its router can successfully locate the Certificate Server where the SCEP component is installed.

650) this. width = 650; "src =" http://img1.51cto.com/attachment/201308/210713479.png "title =" 7.png"/>

Step 4:Now, configure the router to apply for a certificate from the Certificate Server. In order to allow you to configure the router to apply for a certificate in a more organized manner, the configuration is divided into the following eight parts:

1. Configure the Time of the router

2. Configure the Host Name of the vro

3. Configure the Domain Name of the router

4. Generate a local key pair

5. Configure vro support CA

6. Verify the Certificate Server

7. Apply for a certificate from the ca on the vro

8. view the certificate on the vro

Vro configuration time:

R1 # clock set07: 07: 00 listen l 25 2013

Configure the vro Host Name:

R1 (config) # hostnameR1

Configure the Domain Name of the router:

R1 (config) # ipdomain-name catesting.com

Generate a local key pair:

R1 (config) # cryptokey generate rsa

The following is a system prompt:

The name for the keys will be: R1.catesting.com

Choose the size of the key modulus inthe range of  to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

A few minutes.

How many bits in the modulus [512]: *Length of the specified key

% Generating 512 bit RSA keys, keys willbe non-exportable... [OK]

Note: The RSA key pair generated locally on the vro, that is, the public/private key pair used by the vro in security applications. Later, the CA only authenticates the public key in the key pair, and issue a certificate.

Configure vro support CA:

R1 (config) # crypto catrustpoint myca

* Declare a CA trust point named myca.

R1 (ca-trustpoint) # enrollmentmode ra

* Declares the mode of registration and accreditation.

R1 (ca-trustpoint) # enrollmenturl http: // 192.168.201.1/certsrv/mscep. dll

* Declare the URL registration address of the Certificate Server.

R1 (ca-trustpoint) # exit

Verify the Certificate Server:

R1 (config) # crypto caauthenticate myca

Certificate has the following attributes:* The fingerprint of the Self-issued certificate provided by the Certificate Server

Fingerprint MD5: 67222CEF DACC9750 2A6DFE6C FCFE9DD3

Fingerprint SHA1: 3A5DB0C1 6FC94736 EF1194B8 E1F965D1 C06A46D6

% Do you accept this certificate? [Yes/no]: y* Ask if you want to receive a self-issued certificate from the Certificate Server

TrustpointCACertificateaccepted.

Note: When the router verifies the Certificate Server, the router actually accepts a self-issued certificate from the Certificate Server CA.

Apply for a certificate from the ca on the vro:

First, go to the Certificate Server CA and enter the URL name http: // 192.168.201.1/certsrv/mscep in IE. dll obtains the challenge password shown in Figure 3.180, because the vro uses this password when formally applying for a certificate from the CA.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RTW1-7.png "title =" 8.png"/>

R1 (config) # cryptoca enroll myca

* Formally launch a certificate application on the vro

System prompt:

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

Password to the CA Administrator in order torevke your certificate.

For security reasons yourpassword will not be saved in the configuration.

Please make anote of it.

Password:*Usage Diagram3.180Password shown in

Re-enter password:*Enter the password again

% The subject name in the certificate will include: R1.catesting.com*Indicates the Domain Name of the router.

% Include the router serial number in the subject name? [Yes/no]: n*Whether to include the vro serial number in the topic

% Include an IP address in the subject name? [No]: n*Include in this topicIPAddress

Request certificate from CA? [Yes/no]: y*Whether to apply for a certificate. You must select Yes here.

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate myca verbose 'commandwill show the fingerprint.

After applying for a certificate on the vro, go to the Certificate Server CA and open the Certificate Authority Management Console, as shown in Figure 3.181. In the pending application container, you can see a certificate to be processed and select to issue it to router R1. After the certificate is issued, the certificate shown in Figure 3.182 is displayed in the issued certificate container, this certificate is the certificate issued by the CA to router R1. You can check the content issued to and issuer.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063RW3Y-8.png "title =" 9.png"/>

This completes the training demonstration process for the entire network device to apply for a certificate from the Microsoft Certificate Server. At this time, you can use the certificate on router R1 for different security purposes, such as IPsec VPN, but this does not belong to the scope of this course, so we will not describe it here.

This article is from the "unknown Christ" blog. For more information, contact the author!