Certificate request from a Windows 2003 CA server

Network requirements

Configure PKI entity Device to request a local certificate from the CA server.

Figure 72: Network diagram

Configuring the CA server

  • Install the certificate service suites:

    1. Select Control Panel > Add or Remove Programs from the start menu.

    2. Select Add/Remove Windows Components > Certificate Services.

    3. Click Next to begin the installation.

  • Install the SCEP add-on:

  • Because a CA server running the Windows 2003 server does not support SCEP by default, you must install the SCEP add-on so that the switch can register and obtain its certificate automatically. After the SCEP add-on installation completes, a URL is displayed, which you must configure on the switch as the URL of the server for certificate registration.

  • Modify the certificate service attributes:

    1. Select Control Panel > Administrative Tools > Certificate Authority from the start menu.

      If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

    2. Right-click the CA server in the navigation tree and select Properties > Policy Module.

    3. Click Properties and select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.

    4. Select Web Sites from the navigation tree.

    5. Right-click Default Web Site and select Properties > Home Directory.

    6. Specify the path for certificate service in the Local path text box.

      To avoid conflict with existing services, specify an available port number as the TCP port number of the default website.

  • Modify the Internet Information Services (IIS) attributes:

    1. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu.

    2. Select Web Sites from the navigation tree.

    3. Right-click Default Web Site and select Properties > Home Directory.

    4. Specify the path for certificate service in the Local path text box.

      To avoid conflict with existing services, specify an available port number as the TCP port number of the default website.

    After completing the configuration, make sure the system clock of the switch is synchronous to that of the CA server, so that that the switch can request a certificate normally.

    Configuring the switch

  • Configure the entity name as aaa and the common name as device.

  • <Device> system-view
    [Device] pki entity aaa
    [Device-pki-entity-aaa] common-name device
    [Device-pki-entity-aaa] quit
    
  • Configure the PKI domain:

  • # Create PKI domain torsa and enter its view.

    [Device] pki domain torsa
    

    # Configure the name of the trusted CA as myca.

    [Device-pki-domain-torsa] ca identifier myca
    

    # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server.

    [Device-pki-domain-torsa] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll
    

    # Set the registration authority to RA.

    [Device-pki-domain-torsa] certificate request from ra
    

    # Specify the entity for certificate request as aaa.

    [Device-pki-domain-torsa] certificate request entity aaa
    
  • Generate a local key pair using RSA:

  • [Device] public-key local create rsa
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is greater than 512,
    It will take a few minutes.
    Press CTRL+C to abort.
    Input the bits in the modulus [default = 1024]:
    Generating Keys...
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    
    
  • Apply for certificates:

  • # Retrieve the CA certificate and save it locally.

    [Device] pki retrieval-certificate ca domain torsa
    Retrieving CA/RA certificates. Please wait a while......
    The trusted CA's finger print is:
        MD5  fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB
        SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4
    
    Is the finger print correct?(Y/N):y
    
    Saving CA/RA certificates chain, please wait a moment......
    CA certificates retrieval success.
    

    # Request a local certificate manually.

    [Device] pki request-certificate domain torsa challenge-word
    Certificate is being requested, please wait......
    [Device]
    Enrolling the local certificate,please wait a while......
    Certificate request Successfully!
    Saving the local certificate to device......
    Done!
    

    Verifying the configuration

    # Display information about the retrieved local certificate.

    [Device] display pki certificate local domain torsa
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                48FA0FD9 00000000 000C
            Signature Algorithm: sha1WithRSAEncryption
            Issuer:
                CN=myca
            Validity
                Not Before: Feb 21 12:32:16 2012 GMT
                Not After : Feb 21 12:42:16 2012 GMT
            Subject:
                CN=device
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00A6637A 8CDEA1AC B2E04A59 F7F6A9FE
                        5AEE52AE 14A392E4 E0E5D458 0D341113
                        0BF91E57 FA8C67AC 6CE8FEBB 5570178B
                        10242FDD D3947F5E 2DA70BD9 1FAF07E5
                        1D167CE1 FC20394F 476F5C08 C5067DF9
                        CB4D05E6 55DC11B6 9F4C014D EA600306
                        81D403CF 2D93BC5A 8AF3224D 1125E439
                        78ECEFE1 7FA9AE7B 877B50B8 3280509F
                        6B
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier:
                B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1
                X509v3 Authority Key Identifier:
                keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE
    
                X509v3 CRL Distribution Points:
                URI:http://l00192b/CertEnroll/CA%20server.crl
                URI:file://\\l00192b\CertEnroll\CA server.crl
    
                Authority Information Access:
                CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt
                CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt
    
                1.3.6.1.4.1.311.20.2:
                    .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
        Signature Algorithm: sha1WithRSAEncryption
            81029589 7BFA1CBD 20023136 B068840B
    (Omitted)
    

    You can also use some other display commands to display more information about the CA certificate. For more information about the display pki certificate ca domain command, see Security Command Reference.