CA-×××

window 2003部分
1.安裝IIS-web服務
2.安裝SECP（簡單證書註冊協議）
3.從microsoft下載windows2003服務插件Cepsetup.exe
   安裝完成cepsetup.exe，會產生一個地址：http://ca/certsrv/mscep/mscep.dll
注意：在IE上輸入此地址，需要口令和密碼，此密碼爲系統賬號與密碼,不允許空密碼，所以須爲系統賬號加密碼登上去後方可看到OTP挑戰密碼：challenge password後的字符串
==============================
==============================
路由部分：
ip domain-name kangta.com     爲產生密鑰對所必須的
ip host ca 192.16.1.10       指定CA服務器主機名及IP地址
crypto key generate rsa general-keys modulus 1024  創建路由的公鑰和密鑰對
crypto ca trustpoint ca           指定信任的ca機構爲ca
    enrollment mode ra  設置RA作爲PKI服務器處理所有的登記事務的服務器
    enrollment url http://ca/certsrv/mscep/mscep.dll  定義路由器訪問CA服務器的url地址
    crl optional ！(注意！有效)  定義即使在CRL（證書撤銷列表）不可用時也能接收對方的證書
==============================
配置完成後
crypto ca authenticate ca    檢驗獲取從CA服務器的根證書
crypto ca enroll ca              路由器向CA服務器申請屬於自己身份的證書
此時需要輸入一個挑戰口令，這個口令這個口令是一個OTP（One Time Password）口令，有效期爲60

分鐘：獲取該挑戰口令的方法就是在IE瀏覽器上輸入CA服務器的訪問地址：

http://ca/certsrv/mscep/mscep.dll，輸入後就可以看到挑戰口令，將這個challenge password複製粘

貼到口令提示處。成功執行後方在CA服務器上看到已經掛起的證書服務
==============================
==============================
檢測：show run上可以看到證書字符串
在獲取到CA中心的證書後，可用show cry ca cert來檢查CA Certificate
注意：
crypto ca enroll ca
!---發送公鑰給CA中心並獲取路由器自身的證書，大概的提示如下：

　　% Start certificate enrollment ..

　　% Create a challenge password. You will need to verbally provide this

　　password to the CA Administrator in order to revoke your certificate.

　　For security reasons your password will not be saved in the configuration.

　　Please make a note of it.

　　Password:

　　Re−enter password:

　　% The subject name in the certificate will be: myrouter.test.com

　　% Include the router serial number in the subject name? [yes/no]: n

　　% Include an IP address in the subject name? [yes/no]: n

　　Request certificate from CA? [yes/no]: y

　　% Certificate request sent to Certificate Authority

　　% The certificate request fingerprint will be displayed.

　　% The 'show crypto ca certificate' command will also show the fingerprint.

　　myrouter(config)# Fingerprint: A1D6C28B 6575AD08 F0B656D4 7161F76F

　　3d09h: CRYPTO_PKI: status = 102: certificate request pending
申請完後再次show cry ca cert，可看到Certificat的狀態爲Pending：

　　Certificate

　　Status: Pending

　　在CA中心的Pending Requests處可找到這個待申請的證書，然後選擇Issue發佈此證書。在路由器

上過一段時間後會收到類似如下的提示信息：

　　3d09h: %CRYPTO−6−CERTRET: Certificate received from Certificate Authority

　　此時再show cry ca cert，可看到Certificat的狀態爲Available：

×××-Server(config)#do sh cry ca cer
RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 61049F78000000000003
  Certificate Usage: Encryption
  Issuer:
    cn=ca
  Subject:
    ea=kangta
    cn=kangta
    ou=kangta
    o=kangta
    l=kangta
    st=kangta
    c=US
  CRL Distribution Points:
    http://ca/CertEnroll/ca.crl
  Validity Date:
    start date: 08:05:12 UTC Sep 5 2010
    end   date: 08:15:12 UTC Sep 5 2011
  Associated Trustpoints: ca

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 61049D55000000000002
  Certificate Usage: Signature
  Issuer:
    cn=ca
  Subject:
    ea=kangta
    cn=kangta
    ou=kangta
    o=kangta
    l=kangta
    st=kangta
    c=US
  CRL Distribution Points:
    http://ca/CertEnroll/ca.crl
  Validity Date:
    start date: 08:05:12 UTC Sep 5 2010
    end   date: 08:15:12 UTC Sep 5 2011
  Associated Trustpoints: ca

CA Certificate
  Status: Available
  Certificate Serial Number: 3A95B1BA0D8B8DBE4E9D2C1CD55EE854
  Certificate Usage: Signature
  Issuer:
    cn=ca
  Subject:
    cn=ca
  CRL Distribution Points:
    http://sinobest-6e30a7/CertEnroll/ca.crl
  Validity Date:
    start date: 07:50:20 UTC Sep 5 2010
    end   date: 07:59:56 UTC Sep 5 2015
  Associated Trustpoints: ca

Certificate
  Subject:
    Name: ×××-Server.kangta.com
    Serial Number: FFFFFFFF
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: A448576D 05B3772F C9804A60 69368491
   Certificate Request Fingerprint SHA1: F3FA75A5 9B78AF1B 699F6F2B 7A30546F 556DD1B0
   Associated Trustpoint: ca