详细CA测试参考配置文档

network

详细CA测试参考配置文档

路由器VPN的配置
3745的CA配置
Router>enable
Router#configure terminal
Router(config)#hostname 3745
3745(config)#enable secret “自己设置密码”
3745(config)#ip cef
3745(config)#no ip domain lookup
3745(config)#aaa new-model
3745(config)#aaa authentication login default local
3745(config)#username cisco password cisco

(与3级子公司建立VPN连接配置的开始)
3745(config)#crypto isakmp policy 10
3745(config-isakmp)#encr 3des
3745(config-isakmp)#authentication pre-share
3745(config-isakmp)#group 2
3745(config-isakmp)#crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
3745(config-isakmp)#exit
crypto ipsec transform-set myset esp-3des esp-md5-hmac
3745(cfg-crypto-trans)#exit
3745(config)#crypto dynamic-map mymap 10
3745(config-crypto-map)#set transform-set myset
3745(config-crypto-map)#match address 110
3745(config-crypto-map)#exit
3745(config)#crypto map mymap 10 ipsec-isakmp dynamic mymap
3745(config)#ip http server
3745(config)#no ip http secure-server
3745(config)#access-list 10 permit 10.0.0.0 0.255.255.255   
(只允许公司内部人TELNET到本路由器管理的ACL)
3745(config)#access-list 110 permit ip 10.0.0.0 0.255.255.255 10.3.1.0 0.0.0.255
(与3级分公司建立VPN连接)
3745(config)#line vty 0 4
3745(config-line)#password cisco
3745(config-line)#access-class 10 in
(只允许公司内部人TELNET到本路由器管理)
3745(config-line)#end
3745#configure terminal
3745(config)#clock time-zone GMT 8
(一定要和WIN2000SERVER时区一样)
3745(config)#exit
3745#clock set hh:mm:ss day month year
(一定要和WIN2000SERVER时间一样)
3745#configure terminal
3745(config)#ip domain-name cisco.com
3745(config)#ip host <WIN2000SERVER的主机名称> <WIN2000SERVER的IP地址>
3745(config)#crypto key generate rsa
（输入后会出现以下信息）
*Mar  1 00:02:53.872: %SSH-5-ENABLED: SSH 1.5 has been enabled
% You already have RSA keys defined named R1.cisco.com.
（输入“y”）
% Do you really want to replace them? [yes/no]: y
（输入“y”后会出现以下信息）
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
(输入“1024”)
How many bits in the modulus [512]: 1024
（输入“1024”后会出现以下信息）
*Mar  1 00:03:06.577: %SSH-5-DISABLED: SSH 1.5 has been disabled
% Generating 1024 bit RSA keys ...[OK]

network

3745(config)#crypto ca <WIN2000SERVER的主机名称>
3745(config)#crypto ca trustpoint <WIN2000SERVER的主机名称>
3745(ca-trustpoint)#enrollment url http://WIN2000SERVER的主机名称/certsrv/mscep/mscep.dll
3745(ca-trustpoint)#enrollment mode ra
3745(ca-trustpoint)#crl optional
3745(ca-trustpoint)#exit
3745(config)#crypto ca authenticate <WIN2000SERVER的主机名称>


3745(config)#crypto ca enroll <WIN2000SERVER的主机名称>
（出入后会出现以下信息。然后自定义密码、重输入自定义密码）
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:
（输入密码、重输入密码后会出现以下信息）
% The fully-qualified domain name in the certificate will be: R2.cisco.com
% The subject name in the certificate will include: R2.cisco.com
% Include the router serial number in the subject name? [yes/no]: y
（输入“y”会出现以下信息）
% The serial number in the certificate will be: 2B51777C
（输入“n”）
% Include an IP address in the subject name? [no]: n
(输入“n”后会出现以下信息。然后输入“y”)

Request certificate from CA? [yes/no]: y
(输入“y”后会出现以下信息)
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate peixuna-02 verbose' commandwill show the fingerprint.

3745(config)#
Apr 20 02:35:56.227: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 117E733D 6720DF25 8068AE59 20680DE7
Apr 20 02:35:56.231: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 5D7CA748 D5179DBA F04D33A2 C56B7D02 F71A1BF8

network

二、在WIN2000SERVER 上CA服务器和CA插件的安装

1、        首先观看WIN2000SERVER的主机名称
在ROUTER上配置VPN时需要用到


2、CA在WIN2000SERVER的安装（需要WIN2000SERVER光盘）
首先从“控制面板”进入“添加删除程序”选项
然后选择“添加删除WINDOWS组件”
按照以下图示进行
在图示中被选中的选项前画“勾然后选择”
然后在下面按键中选择“Next>”



在如下图示中选择“Yes”

然后看见如下图示直接选择“Next>”

在如下图示中填写CA name公司名称E mail地址等