例说图解TCP/IP协议族--PKI与证书(7)之给思科路由器制作证书

1. 思科路由器的证书介绍

    众所周知，证书一般用于设备向外部证明自己的身份，而路由器主要是用于数据包的路由转发，怎么会需要证书呢？

    其实这取决于路由器上的一些feature，例如路由器可以作为SSL VPN GATEWAY、 IPSEC VPN GATEWAY、WEB SERVER（用于外部管理），还有就是路由器的语音模块中的Secure SRST。

    思科路由器证书的获取方式主要是三种，自签发、通过复制粘贴方式向CA申请证书、通过SCEP协议向CA申请证书。

 

2. 自签发证书

  （1）生成一对公私钥

crypto key rsa generate modulus 2048 label caowen-c2911.key

  （2）针对CA创建trustpoint，并填写要申请证书的基本信息

            由于是自签发证书，故CA是路由器自身。

crypto pki trustpoint caowen-c2911
 enrollment selfsigned
 fqdn caowen-c2911.crdc.cisco.com
 subject-name cn=caowen-c2911.cisco.com,ou=crdc,o=cisco,st=shanghai,c=CN
 revocation-check none
 rsakeypair caowen-c2911.key
 eku request server-auth client-auth code-signing 

   （3）生成自签发证书

crypto pki enroll caowen-c2911

The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-1283911835.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

   （4）查看key, trustpoint和证书

show crypto key mypubkey rsa caowen-c2911.key

show crypto pki trustpoint caowen-c2911

show crypto pki certificates caowen-c2911

 

3. 通过复制粘贴方式向CA申请证书

（1）生成一对公私钥

crypto key generate rsa modulus 2048 label caowen-c2911.key

（2）针对CA创建trustpoint，并填写要申请证书的基本信息

crypto pki trustpoint RootCA
 enrollment terminal
 fqdn caowen-c2911.crdc.ci