crypt ca authenticate myca !---获取CA中心的证书,大概的提示如下: Certificate has the following attributes: Fingerprint: 1FCDF2C8 2DEDA6AC 4819D4C4 B4CFF2F5 % Do you accept this certificate? [yes/no]: y !---可通过访问http://192.168.0.2:80/certsrv/mscep/mscep.dll来获得CA证书的fingerprint,通过比较这两个fingerprint来确认CA中心的身份有效性。 !---在获取到CA中心的证书后,可用show cry ca cert来检查CA Certificate ... CA Certificate Status: Available Certificate Serial Number: 4C38D9568E6C16874378C4D466F3DDB7 Key Usage: Signature ...
crypt ca enroll myca !---发送公钥给CA中心并获取路由器自身的证书,大概的提示如下: % Start certificate enrollment .. % Create a challenge passWord. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re−enter password: % The subject name in the certificate will be: myrouter.test.com % Include the router serial number in the subject name? [yes/no]: n % Include an IP address in the subject name? [yes/no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto ca certificate' command will also show the fingerprint. myrouter(config)# Fingerprint: A1D6C28B 6575AD08 F0B656D4 7161F76F 3d09h: CRYPTO_PKI: status = 102: certificate request pending !---注重上面的Password部分,我就在这里折腾了半天,这个口令叫做enrollment challenge password,是由CA提供的,在这里你又需要在IE中键入http://192.168.0.2:80/certsrv/mscep/mscep.dll获取此password,然后将这个challenge password粘贴复制到口令提示处,需要注重的是,这个口令是一个OTP(One Time Password)口令,有效期为60分钟。
申请完后再次show cry ca cert,可看到Certificat的状态为Pending: Certificate Status: Pending
