Certificate request from a Windows 2003 CA server
Network requirements
Configure PKI entity Device to request a local certificate from the CA server.
Figure 72: Network diagram
Configuring the CA server
Install the certificate service suites:
Select Control Panel > Add or Remove Programs from the start menu.
Select Add/Remove Windows Components > Certificate Services.
Click Next to begin the installation.
Install the SCEP add-on:
Because a CA server running the Windows 2003 server does not support SCEP by default, you must install the SCEP add-on so that the switch can register and obtain its certificate automatically. After the SCEP add-on installation completes, a URL is displayed, which you must configure on the switch as the URL of the server for certificate registration.
Modify the certificate service attributes:
Select Control Panel > Administrative Tools > Certificate Authority from the start menu.
If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.
Right-click the CA server in the navigation tree and select Properties > Policy Module.
Click Properties and select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.
Select Web Sites from the navigation tree.
Right-click Default Web Site and select Properties > Home Directory.
Specify the path for certificate service in the Local path text box.
To avoid conflict with existing services, specify an available port number as the TCP port number of the default website.
Modify the Internet Information Services (IIS) attributes:
Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu.
Select Web Sites from the navigation tree.
Right-click Default Web Site and select Properties > Home Directory.
Specify the path for certificate service in the Local path text box.
To avoid conflict with existing services, specify an available port number as the TCP port number of the default website.
After completing the configuration, make sure the system clock of the switch is synchronous to that of the CA server, so that that the switch can request a certificate normally.
Configuring the switch
Configure the entity name as aaa and the common name as device.
<Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] quit
Configure the PKI domain:
# Create PKI domain torsa and enter its view.
[Device] pki domain torsa
# Configure the name of the trusted CA as myca.
[Device-pki-domain-torsa] ca identifier myca
# Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server.
[Device-pki-domain-torsa] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll
# Set the registration authority to RA.
[Device-pki-domain-torsa] certificate request from ra
# Specify the entity for certificate request as aaa.
[Device-pki-domain-torsa] certificate request entity aaa
Generate a local key pair using RSA:
[Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++
Apply for certificates:
# Retrieve the CA certificate and save it locally.
[Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while...... The trusted CA's finger print is: MD5 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success.
# Request a local certificate manually.
[Device] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Device] Enrolling the local certificate,please wait a while...... Certificate request Successfully! Saving the local certificate to device...... Done!
Verifying the configuration
# Display information about the retrieved local certificate.
[Device] display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Feb 21 12:32:16 2012 GMT Not After : Feb 21 12:42:16 2012 GMT Subject: CN=device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted)
You can also use some other display commands to display more information about the CA certificate. For more information about the display pki certificate ca domain command, see Security Command Reference.