admin管理员组文章数量:1565796
1. 思科路由器的证书介绍
众所周知,证书一般用于设备向外部证明自己的身份,而路由器主要是用于数据包的路由转发,怎么会需要证书呢?
其实这取决于路由器上的一些feature,例如路由器可以作为SSL VPN GATEWAY、 IPSEC VPN GATEWAY、WEB SERVER(用于外部管理),还有就是路由器的语音模块中的Secure SRST。
思科路由器证书的获取方式主要是三种,自签发、通过复制粘贴方式向CA申请证书、通过SCEP协议向CA申请证书。
2. 自签发证书
(1)生成一对公私钥
crypto key rsa generate modulus 2048 label caowen-c2911.key
(2)针对CA创建trustpoint,并填写要申请证书的基本信息
由于是自签发证书,故CA是路由器自身。
crypto pki trustpoint caowen-c2911
enrollment selfsigned
fqdn caowen-c2911.crdc.cisco
subject-name cn=caowen-c2911.cisco,ou=crdc,o=cisco,st=shanghai,c=CN
revocation-check none
rsakeypair caowen-c2911.key
eku request server-auth client-auth code-signing
(3)生成自签发证书
crypto pki enroll caowen-c2911
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-1283911835.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
(4)查看key, trustpoint和证书
show crypto key mypubkey rsa caowen-c2911.key
show crypto pki trustpoint caowen-c2911
show crypto pki certificates caowen-c2911
3. 通过复制粘贴方式向CA申请证书
(1)生成一对公私钥
crypto key generate rsa modulus 2048 label caowen-c2911.key
(2)针对CA创建trustpoint,并填写要申请证书的基本信息
crypto pki trustpoint RootCA
enrollment terminal
fqdn caowen-c2911.crdc.ci
版权声明:本文标题:例说图解TCPIP协议族--PKI与证书(7)之给思科路由器制作证书 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dianzi/1726215686a1060813.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论