论坛 › 案例分享 › 【案例分享】Cisco设备PKI 实验-持续更新

wo1261450762 发表于 2025-8-8 15:31:05

【案例分享】Cisco设备PKI 实验-持续更新

<h1>1、环境介绍</h1>
<p><img src="data/attachment/forum/202508/08/112458eh2dj8ooj2eu4e25.png" alt="image.png" title="image.png" /></p>
<p>说明：图中红圈为实验涉及设备，设备清单列表如下：</p>
<table>
<thead>
<tr>
<th>区域</th>
<th>设备</th>
<th>镜像</th>
</tr>
</thead>
<tbody>
<tr>
<td>站点 1</td>
<td>CSR1</td>
<td>懒人版默认 CSR 镜像文件</td>
</tr>
<tr>
<td>站点 2</td>
<td>CSR2</td>
<td>懒人版默认 CSR 镜像文件</td>
</tr>
<tr>
<td>站点 2</td>
<td>CSR3</td>
<td>懒人版默认 CSR 镜像文件</td>
</tr>
<tr>
<td>核心</td>
<td>VIOS</td>
<td>懒人版默认VIOS 镜像文件</td>
</tr>
</tbody>
</table>
<ul>
<li class="vditor-task vditor-task--done"><input checked="" disabled="" type="checkbox" /> 站点 1 通过 WIndows Server做 AD 和 DNS 服务，后续会通过Window Server下发 CA 证书。</li>
<li class="vditor-task vditor-task--done"><input checked="" disabled="" type="checkbox" /> 核心区域互联各个区域，通过 ospf 进行设备路由打通，核心通过 ospf 下发默认路由，核心区域通过桥接外部网络进行NAT上网。（说明测试内部搭建 NTP 服务一直不通，通过外部 NTP 服务立马就通，尚未了解原因）。</li>
</ul>
<h1>2、环境初始化配置</h1>
<h2>2.1、微软域初始化</h2>
<ul>
<li>
<p>WIndows Server 添加 AD 角色，默认会建立DNS服务。</p>
<p><img src="data/attachment/forum/202508/08/143110f7chvvh5cecfc1cp.png" alt="image.png" title="image.png" /></p>
<p>注：DNS建立域名pkitest.com，服务需要配置转发器到 233.5.5.5，默认本地有解析会在本地解析，没有会转发到 223.5.5.5，该地址用途用途 NTP 服务启用。</p>
<h2>2.2、设备初始化</h2>
<pre><code>------------CSR1-------------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
！
hostname CSR1
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet1
ip address 100.1.1.150 255.255.255.0
no shutdown
!
router ospf 1
network 100.1.1.0 0.0.0.255 area 0
!
ip http server
-------------CSR2-----------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
！
hostname CSR2
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet2
ip address 100.1.2.150 255.255.255.0
!
router ospf 1
network 100.1.2.0 0.0.0.255 area 0
--------------CSR3----------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
！
hostname CSR3
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet3
ip address 100.1.3.150 255.255.255.0
!
router ospf 1
network 100.1.3.0 0.0.0.255 area 0
----------------HX--------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
！
hostname HX
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/1
ip address 100.1.1.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 100.1.2.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/3
ip address 100.1.3.254 255.255.255.0
ip nat inside
!
router ospf 1
network 100.1.1.0 0.0.0.255 area 0
network 100.1.2.0 0.0.0.255 area 0
network 100.1.3.0 0.0.0.255 area 0
default-information originate always
!
ip forward-protocol nd
!
ip http server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.31.1
!
access-list 1 permit 100.1.1.0 0.0.0.255
access-list 1 permit 100.1.2.0 0.0.0.255
access-list 1 permit 100.1.3.0 0.0.0.255
!
</code></pre>
</li>
</ul>
<p>验证：</p>
<p>`CSR1#<strong>show ip route</strong><br />
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP<br />
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<br />
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<br />
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP<br />
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA<br />
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<br />
ia - IS-IS inter area, * - candidate default, U - per-user static route<br />
H - NHRP, G - NHRP registered, g - NHRP registration summary<br />
o - ODR, P - periodic downloaded static route, l - LISP<br />
a - application route</p>
<ul>
<li>
<ul>
<li>replicated route, % - next hop override, p - overrides from PfR<br />
&amp; - replicated local route overrides by connected</li>
</ul>
</li>
</ul>
<p>Gateway of last resort is 100.1.1.254 to network 0.0.0.0</p>
<p>O*E20.0.0.0/0 via 100.1.1.254, 04:21:08, GigabitEthernet1<br />
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks<br />
C      100.1.1.0/24 is directly connected, GigabitEthernet1<br />
L      100.1.1.150/32 is directly connected, GigabitEthernet1<br />
O      100.1.2.0/24 via 100.1.1.254, 04:21:08, GigabitEthernet1<br />
O      100.1.3.0/24 via 100.1.1.254, 04:21:08, GigabitEthernet1<br />
CSR1#<strong>ping 100.1.2.150</strong><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 100.1.2.150, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms<br />
CSR1#<strong>ping 100.1.3.150</strong><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 100.1.3.150, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms<br />
CSR1#<strong>ping ntp.aliyun.com</strong><br />
Type escape sequence to abort.<br />
Sending 5, 100-byte ICMP Echos to 203.107.6.88, timeout is 2 seconds:<br />
!!!!!<br />
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/29/30 ms<br />
CSR1#<strong>show ntp status</strong><br />
Clock is synchronized, stratum 3, reference is 203.107.6.88<br />
nominal freq is 250.0000 Hz, actual freq is 249.9911 Hz, precision is 2**10<br />
ntp uptime is 1569800 (1/100 of seconds), resolution is 4016<br />
reference time is EC401A77.DA5E3798 (14:40:55.853 GMT Fri Aug 8 2025)<br />
clock offset is 22.2035 msec, root delay is 44.86 msec<br />
root dispersion is 30.28 msec, peer dispersion is 4.92 msec<br />
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000035631 s/s<br />
system poll interval is 64, last update was 124 sec ago.</p>
<p>参考资料：百度搜索---CA 服务器的部署【基于 CiscoIOS 】</p>
<h1>3、CA 服务建立</h1>
<p>在CSR1</p>
<p><code>crypto key generate rsa label CA modulus 2048   //用RSA产生名称为CA 的密钥</code></p>
<p>分别在CSR1&amp; CSR2&amp;CSR3创建</p>
<p><code>CSR1&amp;CSR2&amp;CSR3 crypto key generate rsa labelTEST modulus 2048 //用RSA产生名称为TSET的密钥</code></p>
<p><code>show crypto key mypubkey rsa      //查看我自己产生rsa的密钥</code></p>
<p>在CSR1</p>
<p><code>crypto pki trustpoint CA    //可选默认建立 CA 服务会自己产生</code></p>
<p><code>rsakeypair CA   //可选</code></p>
<p>CSR 创建 CA 服务</p>
<pre><code>#
crypto pki server CA
database level complete
database archive pkcs12 password 7 022E115A1C0306011D1C5A
issuer-name cn=ca.pkitest.com, ou=pkitest   //定义CN和OU
lifetime certificate 100            //签发证书有效期
lifetime ca-certificate 3650          //CA根证书有效期
no shutdown                            //开启
验证:
CSR1#show crypto pki server CA
Certificate Server CA:
    Status: enabled
    State: enabled
    Server's configuration is locked(enter &quot;shut&quot; to unlock it)
    Issuer name: cn=ca.pkitest.com, ou=pkitest
    CA cert fingerprint: 7BB5B34C 1134324C E43A57BE B18251F8
    Granting mode is: manual
    Last certificate issued serial number (hex): 4
    CA certificate expiration timer: 10:22:27 GMT Aug 6 2035
    CRL NextUpdate timer: 16:22:29 GMT Aug 8 2025
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as &lt;serialnum&gt;.cer
</code></pre>
<p>CSR1、CSR2、CSR3分别创建 TEST的</p>
<pre><code>
!
crypto pki trustpoint TEST
enrollment url http://100.1.1.150:80   //通过http请求CA证书
fqdn csr1.pkitest.com                  //分别创建CSR1-CSR3的域名，需要在dns配置对应解析
ip-address 100.1.1.150                   //发起方的地址
subject-name cn=csr1.pkitest.com,ou=pkitest   //CN和OU信息
subject-alt-name csr1.pkitest.com      //发起者的名称
revocation-check crl   //
rsakeypair TEST         //调用前面创建TEST的密钥
!   
crypto pki authenticateTEST    /yes      //调用TEST请求 CA 证书，该请求会看到ca证书hash的值需要离线确认
       Fingerprint MD5: 7BB5B34C 1134324C E43A57BE B18251F8
      Fingerprint SHA1: DFCC5413 87D6FB12 869237BD 1CDF7797 9E40B7B0
</code></pre>
<p>向 CA 服务器发起请求个人证书</p>
<pre><code>
CSR1#show crypto pki certificates DMVPN
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    Name: csr1.pkitest.com
    IP Address: 100.1.1.150
    ipaddress=100.1.1.150+hostname=csr1.pkitest.com
    cn=csr1.pkitest.com
    ou=pkitest
Validity Date:
    start date: 11:10:10 GMT Aug 8 2025
    end   date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: DMVPN

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    cn=ca.pkitest.com
    ou=pkitest
Validity Date:
    start date: 10:22:27 GMT Aug 8 2025
    end   date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cerCSR1#show crypto pki certificates DMVPN
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    Name: csr1.pkitest.com
    IP Address: 100.1.1.150
    ipaddress=100.1.1.150+hostname=csr1.pkitest.com
    cn=csr1.pkitest.com
    ou=pkitest
Validity Date:
    start date: 11:10:10 GMT Aug 8 2025
    end   date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: DMVPN

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    cn=ca.pkitest.com
    ou=pkitest
Validity Date:
    start date: 10:22:27 GMT Aug 8 2025
    end   date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cerCSR1#terminal monitor
CSR1(config)#crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:      【密码为空直接回车】
Aug8 02:44:03.476: %PKI-6-CERT_ENROLL_MANUAL: Manual enrollment for trustpoint DMVPN
Re-enter password: 【密码为空直接回车】

% The subject name in the certificate will include: cn=csr1.pkitest.com,ou=pkitest
% The subject name in the certificate will include: csr1.pkitest.com
% Include the router serial number in the subject name? : no 【不保存序列号】
% The IP address in the certificate is 100.1.1.150
Request certificate from CA? : yes 【yes】
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' commandwill show the fingerprint.
CSR1(config)#
Aug8 02:44:10.913: %PKI-6-CSR_FINGERPRINT:
                      CSR Fingerprint MD5 : F63D5C4D79CBF26868EDB4EEDF51A38E
                      CSR Fingerprint SHA1: 001E542021501F4ADB384552B329EDEBDA2AFA9B
Aug8 02:44:10.914: CRYPTO_PKI:Certificate Request Fingerprint MD5: F63D5C4D 79CBF268 68EDB4EE DF51A38E
Aug8 02:44:10.916: CRYPTO_PKI:Certificate Request Fingerprint SHA1: 001E5420 21501F4A DB384552 B329EDEB DA2AFA9B
CSR1#crypto pki server CA grant 1    //颁发1号申请的证书
CSR1#show crypto pki server CA requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------
3      pending    6C2B9AD8917C3EC8FC5A0CC4945CE505 ipaddress=100.1.3.150+hostname=csr1.pkitest.com,cn=csr3.pkitest.com,ou=pkitest
2      pending    DDB4E285B9BAF98CF0B852935B264363 ipaddress=100.1.2.150+hostname=csr1.pkitest.com,cn=csr2.pkitest.com,ou=pkitest
1      granted    F63D5C4D79CBF26868EDB4EEDF51A38E ipaddress=100.1.1.150+hostname=csr1.pkitest.com,cn=csr1.pkitest.com,ou=pkitest

CSR1#crypto pki server CA grant 2   //颁发2号申请的证书
CSR1#crypto pki server CA grant 3   //颁发3号申请的证书
CSR1#show crypto pki server CA requests    //查看哪些申请证书的请求
Enrollment Request Database:

Subordinate CA certificate requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqIDState      Fingerprint                      SubjectName
--------------------------------------------------------------
3      granted    6C2B9AD8917C3EC8FC5A0CC4945CE505 ipaddress=100.1.3.150+hostname=csr1.pkitest.com,cn=csr3.pkitest.com,ou=pkitest
2      granted    DDB4E285B9BAF98CF0B852935B264363 ipaddress=100.1.2.150+hostname=csr1.pkitest.com,cn=csr2.pkitest.com,ou=pkitest
1      granted    F63D5C4D79CBF26868EDB4EEDF51A38E ipaddress=100.1.1.150+hostname=csr1.pkitest.com,cn=csr1.pkitest.com,ou=pkitest
CSR1#show crypto pki certificates TEST
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    Name: csr1.pkitest.com
    IP Address: 100.1.1.150
    ipaddress=100.1.1.150+hostname=csr1.pkitest.com
    cn=csr1.pkitest.com
    ou=pkitest
Validity Date:
    start date: 11:10:10 GMT Aug 8 2025
    end   date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: TEST

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
    cn=ca.pkitest.com
    ou=pkitest
Subject:
    cn=ca.pkitest.com
    ou=pkitest
Validity Date:
    start date: 10:22:27 GMT Aug 8 2025
    end   date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cer
</code></pre>

查看完整版本: 【案例分享】Cisco设备PKI 实验-持续更新