1、环境介绍
说明:图中红圈为实验涉及设备,设备清单列表如下:
| 区域 |
设备 |
镜像 |
| 站点 1 |
CSR1 |
懒人版默认 CSR 镜像文件 |
| 站点 2 |
CSR2 |
懒人版默认 CSR 镜像文件 |
| 站点 2 |
CSR3 |
懒人版默认 CSR 镜像文件 |
| 核心 |
VIOS |
懒人版默认VIOS 镜像文件 |
2、环境初始化配置
2.1、微软域初始化
-
WIndows Server 添加 AD 角色,默认会建立DNS服务。
注:DNS建立域名pkitest.com,服务需要配置转发器到 233.5.5.5,默认本地有解析会在本地解析,没有会转发到 223.5.5.5,该地址用途用途 NTP 服务启用。
2.2、设备初始化
------------CSR1-------------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
!
hostname CSR1
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet1
ip address 100.1.1.150 255.255.255.0
no shutdown
!
router ospf 1
network 100.1.1.0 0.0.0.255 area 0
!
ip http server
-------------CSR2-----------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
!
hostname CSR2
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet2
ip address 100.1.2.150 255.255.255.0
!
router ospf 1
network 100.1.2.0 0.0.0.255 area 0
--------------CSR3----------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
!
hostname CSR3
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet3
ip address 100.1.3.150 255.255.255.0
!
router ospf 1
network 100.1.3.0 0.0.0.255 area 0
----------------HX--------------
!
clock timezone GMT 8
!
ip domain name pkitest.com
!
hostname HX
!
ip name-server 100.1.1.100
!
ntp server ntp.aliyun.com
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/1
ip address 100.1.1.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
ip address 100.1.2.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/3
ip address 100.1.3.254 255.255.255.0
ip nat inside
!
router ospf 1
network 100.1.1.0 0.0.0.255 area 0
network 100.1.2.0 0.0.0.255 area 0
network 100.1.3.0 0.0.0.255 area 0
default-information originate always
!
ip forward-protocol nd
!
ip http server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.31.1
!
access-list 1 permit 100.1.1.0 0.0.0.255
access-list 1 permit 100.1.2.0 0.0.0.255
access-list 1 permit 100.1.3.0 0.0.0.255
!
验证:
`CSR1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
-
- replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 100.1.1.254 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 100.1.1.254, 04:21:08, GigabitEthernet1
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.1.1.0/24 is directly connected, GigabitEthernet1
L 100.1.1.150/32 is directly connected, GigabitEthernet1
O 100.1.2.0/24 [110/2] via 100.1.1.254, 04:21:08, GigabitEthernet1
O 100.1.3.0/24 [110/2] via 100.1.1.254, 04:21:08, GigabitEthernet1
CSR1#ping 100.1.2.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.2.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
CSR1#ping 100.1.3.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.3.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/7 ms
CSR1#ping ntp.aliyun.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.107.6.88, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/29/30 ms
CSR1#show ntp status
Clock is synchronized, stratum 3, reference is 203.107.6.88
nominal freq is 250.0000 Hz, actual freq is 249.9911 Hz, precision is 2**10
ntp uptime is 1569800 (1/100 of seconds), resolution is 4016
reference time is EC401A77.DA5E3798 (14:40:55.853 GMT Fri Aug 8 2025)
clock offset is 22.2035 msec, root delay is 44.86 msec
root dispersion is 30.28 msec, peer dispersion is 4.92 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000035631 s/s
system poll interval is 64, last update was 124 sec ago.
参考资料:百度搜索---CA 服务器的部署【基于 CiscoIOS 】
3、CA 服务建立
在CSR1
crypto key generate rsa label CA modulus 2048 //用RSA产生名称为CA 的密钥
分别在CSR1& CSR2&CSR3创建
CSR1&CSR2&CSR3 crypto key generate rsa label TEST modulus 2048 //用RSA产生名称为TSET的密钥
show crypto key mypubkey rsa //查看我自己产生rsa的密钥
在CSR1
crypto pki trustpoint CA //可选默认建立 CA 服务会自己产生
rsakeypair CA //可选
CSR 创建 CA 服务
#
crypto pki server CA
database level complete
database archive pkcs12 password 7 022E115A1C0306011D1C5A
issuer-name cn=ca.pkitest.com, ou=pkitest //定义CN和OU
lifetime certificate 100 //签发证书有效期
lifetime ca-certificate 3650 //CA根证书有效期
no shutdown //开启
验证:
CSR1#show crypto pki server CA
Certificate Server CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: cn=ca.pkitest.com, ou=pkitest
CA cert fingerprint: 7BB5B34C 1134324C E43A57BE B18251F8
Granting mode is: manual
Last certificate issued serial number (hex): 4
CA certificate expiration timer: 10:22:27 GMT Aug 6 2035
CRL NextUpdate timer: 16:22:29 GMT Aug 8 2025
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
CSR1、CSR2、CSR3分别创建 TEST的
!
crypto pki trustpoint TEST
enrollment url http://100.1.1.150:80 //通过http请求CA证书
fqdn csr1.pkitest.com //分别创建CSR1-CSR3的域名,需要在dns配置对应解析
ip-address 100.1.1.150 //发起方的地址
subject-name cn=csr1.pkitest.com,ou=pkitest //CN和OU信息
subject-alt-name csr1.pkitest.com //发起者的名称
revocation-check crl //
rsakeypair TEST //调用前面创建TEST的密钥
!
crypto pki authenticate TEST /yes //调用TEST请求 CA 证书,该请求会看到ca证书hash的值需要离线确认
Fingerprint MD5: 7BB5B34C 1134324C E43A57BE B18251F8
Fingerprint SHA1: DFCC5413 87D6FB12 869237BD 1CDF7797 9E40B7B0
向 CA 服务器发起请求个人证书
CSR1#show crypto pki certificates DMVPN
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
Name: csr1.pkitest.com
IP Address: 100.1.1.150
ipaddress=100.1.1.150+hostname=csr1.pkitest.com
cn=csr1.pkitest.com
ou=pkitest
Validity Date:
start date: 11:10:10 GMT Aug 8 2025
end date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: DMVPN
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
cn=ca.pkitest.com
ou=pkitest
Validity Date:
start date: 10:22:27 GMT Aug 8 2025
end date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cerCSR1#show crypto pki certificates DMVPN
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
Name: csr1.pkitest.com
IP Address: 100.1.1.150
ipaddress=100.1.1.150+hostname=csr1.pkitest.com
cn=csr1.pkitest.com
ou=pkitest
Validity Date:
start date: 11:10:10 GMT Aug 8 2025
end date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: DMVPN
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
cn=ca.pkitest.com
ou=pkitest
Validity Date:
start date: 10:22:27 GMT Aug 8 2025
end date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cerCSR1#terminal monitor
CSR1(config)#crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: 【密码为空直接回车】
Aug 8 02:44:03.476: %PKI-6-CERT_ENROLL_MANUAL: Manual enrollment for trustpoint DMVPN
Re-enter password: 【密码为空直接回车】
% The subject name in the certificate will include: cn=csr1.pkitest.com,ou=pkitest
% The subject name in the certificate will include: csr1.pkitest.com
% Include the router serial number in the subject name? [yes/no]: no 【不保存序列号】
% The IP address in the certificate is 100.1.1.150
Request certificate from CA? [yes/no]: yes 【yes】
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' commandwill show the fingerprint.
CSR1(config)#
Aug 8 02:44:10.913: %PKI-6-CSR_FINGERPRINT:
CSR Fingerprint MD5 : F63D5C4D79CBF26868EDB4EEDF51A38E
CSR Fingerprint SHA1: 001E542021501F4ADB384552B329EDEBDA2AFA9B
Aug 8 02:44:10.914: CRYPTO_PKI: Certificate Request Fingerprint MD5: F63D5C4D 79CBF268 68EDB4EE DF51A38E
Aug 8 02:44:10.916: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 001E5420 21501F4A DB384552 B329EDEB DA2AFA9B
CSR1#crypto pki server CA grant 1 //颁发1号申请的证书
CSR1#show crypto pki server CA requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
3 pending 6C2B9AD8917C3EC8FC5A0CC4945CE505 ipaddress=100.1.3.150+hostname=csr1.pkitest.com,cn=csr3.pkitest.com,ou=pkitest
2 pending DDB4E285B9BAF98CF0B852935B264363 ipaddress=100.1.2.150+hostname=csr1.pkitest.com,cn=csr2.pkitest.com,ou=pkitest
1 granted F63D5C4D79CBF26868EDB4EEDF51A38E ipaddress=100.1.1.150+hostname=csr1.pkitest.com,cn=csr1.pkitest.com,ou=pkitest
CSR1#crypto pki server CA grant 2 //颁发2号申请的证书
CSR1#crypto pki server CA grant 3 //颁发3号申请的证书
CSR1#show crypto pki server CA requests //查看哪些申请证书的请求
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
3 granted 6C2B9AD8917C3EC8FC5A0CC4945CE505 ipaddress=100.1.3.150+hostname=csr1.pkitest.com,cn=csr3.pkitest.com,ou=pkitest
2 granted DDB4E285B9BAF98CF0B852935B264363 ipaddress=100.1.2.150+hostname=csr1.pkitest.com,cn=csr2.pkitest.com,ou=pkitest
1 granted F63D5C4D79CBF26868EDB4EEDF51A38E ipaddress=100.1.1.150+hostname=csr1.pkitest.com,cn=csr1.pkitest.com,ou=pkitest
CSR1#show crypto pki certificates TEST
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
Name: csr1.pkitest.com
IP Address: 100.1.1.150
ipaddress=100.1.1.150+hostname=csr1.pkitest.com
cn=csr1.pkitest.com
ou=pkitest
Validity Date:
start date: 11:10:10 GMT Aug 8 2025
end date: 11:10:10 GMT Feb 4 2026
Associated Trustpoints: TEST
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.pkitest.com
ou=pkitest
Subject:
cn=ca.pkitest.com
ou=pkitest
Validity Date:
start date: 10:22:27 GMT Aug 8 2025
end date: 10:22:27 GMT Aug 6 2035
Associated Trustpoints: DMVPN CA
Storage: nvram:capkitestcom#1CA.cer
