No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring PKI Certificate

Configuring PKI Certificate

Configuring PKI certificate involves creating RSA key pairs, configuring entity information, obtaining certificates and verifying the certification validity.

Applicable Environment

Two devices use digital certificates to authenticate each other's identity when establishing a VPN, which prevents middleman attacks.

As shown in Figure 1, Device A and Device B apply for certificates from a same CA server, and download root certificates and entity certificates from the server. When an IPSec VPN needs to be established for data transmission between Device A and Device B, Device A and Device B must authenticate each other using certificates. When both have passed authentication, they can set up the IPSec VPN.

Figure 13-3 Diagram for configuring certificate-based authentication

Pre-configuration Tasks

Before configuring the entity information, complete the following tasks:

  • Assign an IP address to each interface.

  • Configure routes between the devices that use digital certificates to authenticate each other's identity when establishing a VPN.

Configuration Procedure

Figure 13-4 Flowchart of configuring the entity information

Creating an RSA Key Pair

Before applying for certificates, create RSA key pairs.

Usage Scenario

Generating a key pair is important for applying a certificate. The key pair consists of a private key and a public key. The private key is reserved by a user, and the public key and other information are delivered to the CA. Then, the CA generates a certificate and signs it with the public key. If the private key is disclosed, the user must delete the old key pair, create a new key pair, and reapply for a certificate.

An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh, and LenAdleman and is a public key encryption algorithm. RSA key pairs are categorized into host key pairs and server key pairs. Each key pair is composed of a private key and a public key. These two key pairs are used by SSH. The server key pair is periodically changed by the local server, while the host key pair remains unchanged. The host key pair is used when you apply for a certificate.

NOTE:
  • If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the existing RSA key pairs before creating and renaming RSA key pairs.
  • After the key pair is deleted or replaced, the existing certificate becomes invalid. You need to apply for a new certificate, which ensures the RSA key pair and certificate match.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run rsa pki local-key-pair [ key-name ] create

    The local key pair is created.

  3. Run commit

    The configuration is committed.

Configuring Entity Information

When applying for certificates, an entity must add entity information to a certificate request file and send the file to the CA. The CA uses a piece of important information to describe an entity, and identifies the entity using a unique Distinguished Name (DN).

Context

The local certificate associates user identity information with the user public key, while the identity information must be associated with a specific PKI entity. The CA identifies the certificate applicant based on the identity information that the entity provides. The entity information includes:

  • Common name of the entity
  • Country code of the entity
  • Email address of the entity
  • Fully Qualified Domain Name (FQDN) of the entity
  • IP address of the entity
  • Name of the region where the entity resides
  • Organization name of the entity
  • Department name of the entity
  • State or province of the entity
NOTE:
In the entity information, the common name of the entity is mandatory. Whether to configure other attributes depends on the certificate issuing policy on the CA server. If the attributes used to filter certificates do not map the certificate issuing policy, certificate application will fail.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki entity entity-name

    An entity name is created and the entity view is displayed.

  3. Configure entity attributes.

    • Run common-name cn-name

      The common name of the entity is configured.

    • (Optional) Run country country-code

      The country code of the entity is specified.

    • (Optional) Run email email-address

      The email address of the entity is configured.

    • (Optional) Run fqdn fqdn-name

      The FQDN of the entity is configured.

    • (Optional) Run ip-address ip-address

      The IP address of the entity is configured.

    • (Optional) Run locality locality-name

      The name of the locality where the entity resides is specified.

    • (Optional) Run organization organization-name

      The organization name of the entity is specified.

    • (Optional) Run organization-unit org-unit

      The department name of the entity is configured.

    • (Optional) Run state state-province-name

      The department name of the entity is configured.

  4. Run commit

    The configuration is committed.

Obtaining Certificates

To use certificates to authenticate users, the entity needs to obtain a local certificate and CA certificates. A local certificate proves the identity of the entity, and a CA certificate proves that the local certificate is issued by a legal CA.

Context

You can perform the following operations to obtain the certificates:
  • Configure a PKI domain:

    Before sending a certificate request, create a PKI domain and configure the entity information in the PKI domain.

    A PKI domain is configured locally and is invisible to the CA and other devices. Each PKI domain has its own parameters.

  • Apply for certificates:

    After a certificate request file is generated on the NE20E, a user needs to send the file to the CA to apply for a local certificate.

    Currently, NE20E supports certificate application only in offline mode. Therefore, the user needs to create a certificate request file on the NE20E and sends the file to the CA using FTP, a floppy disk, or an email to apply for the local certificate.

  • Download certificates:

    After a certificate is generated on the CA server, the user needs to download the certificate to the local device. Currently, only manual downloading of the certificates is supported. After obtaining CA certificates and a local certificate using FTP, a floppy disk, or an email, the user can upload the certificates to the CF card on the NE20E.

  • Installing certificates

    After obtaining CA certificates and a local certificate, install them on the device to take effect.

Procedure

  • Run the following commands to configure a PKI domain:

    1. Run system-view

      The system view is displayed.

    2. Run pki domain domain-name

      A PKI domain is created and the PKI domain view is displayed.

      NOTE:
      If a non-default key pair is required, perform the following operations:
      1. Run the pki cmp session session-name command to create a CMP session and enter the PKI CMP session view.
      2. Run the cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ] command to specify a local RSA key pair.
    3. Run certificate request entity entity-name

      An entity name is specified.

      The entity name must already exist.

    4. Run commit

      The configuration is committed.

  • Run the following commands to apply for certificates:

    1. (Optional) Run pki file-format { der | pem }

      The format of a certificate request file is specified.

    2. Run pki request-certificate domain domain-name pkcs10 [ signature-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } ]

      A certificate request file named domain-name.req is generated.

    3. Apply for a local certificate.

      A user can use FTP, a floppy disk, or an email to send a certificate application file to the CA to apply for a local certificate.

    4. Run commit

      The configuration is committed.

  • Download the certificates manually.
  • Run the following command to install the certificates:
    1. Run pki import-certificate { ca | local | crl | peer } filename file-name

      A CA certificate or local certificate is installed.

    2. Run commit

      The configuration is committed.

Verifying the PKI Certificate Configuration

After configuring PKI certificate, check the configurations.

Prerequisites

PKI certificates has been configured.

Procedure

  1. Run the display rsa pki local-key-pair [ file-name ] public command to check information about the public key of the RSA key pair.
  2. Run the display pki cert-req filename file-name command to check contents in the specific certificate request file.
  3. Run the display pki certificate filename file-name command to check contents in the specific certificate.
  4. Run the display pki ca_list command to check contents in the CA certificates that are imported into the memory of the device.
  5. Run the display pki cert_list command to check contents in the local certificate that is imported into the memory of the device.

Example

Run the display rsa pki local-key-pair public command to view information about the public key of the RSA key pair.
<HUAWEI> display rsa pki local-key-pair public

=====================================================
 Time of Key pair created: 15:47:34  2011/6/7
 Key name: I2_Host
 Key type: RSA encryption Key
=====================================================
 Key code:
 308188
  028180
    BD31D4A9 78E91504 474CC396 A9D4EF79 E650FA8A
    367B0E64 2C32DC80 C07AE34A CF43007D C554E1AD
    7DE64D3A 779F3876 3935099E 3A96DD7D 070EA356
    A0E45CCA E711DA1E 2AECD33A CEC9EEA6 50B3320A
    E3B59BE6 F9B9AC12 D11580C6 D47BDF3F 40F0C347
    46CDAEAB 94993D99 AA3E5D04 2057A255 19A07630
    62C689B5 0871CE05
  0203
    010001

Run the display pki cert-req filename file-name command to view contents in the certificate request file named test.req.

<HUAWEI> display pki cert-req filename test.req

Certificate Request:                                                            
    Data:                                                                       
        Version: 0 (0x0)                                                        
        Subject: CN=test                                                        
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
            RSA Public Key: (512 bit)                                           
                Modulus (512 bit):                                              
                    00:c1:85:41:ab:18:38:06:d6:85:87:ee:7e:ab:e8:               
                    53:37:ae:75:e2:0b:27:07:ed:a6:9f:5b:5a:7e:5b:               
                    cd:23:c8:89:bb:0b:c7:3e:a7:69:a3:1a:04:20:39:               
                    28:79:f9:93:92:43:78:9f:76:8f:ec:87:0e:69:b3:               
                    80:77:d9:3f:a9                                              
                Exponent: 65537 (0x10001)                                       
        Attributes:                                                             
            a0:00                                                               
    Signature Algorithm: md5WithRSAEncryption                                   
        84:06:a2:60:81:22:e0:93:74:f1:f5:30:47:b0:49:7a:0f:d3:                  
        3e:ae:c6:db:8a:e2:13:a3:90:5d:58:fe:87:a1:cf:ff:34:db:                  
        50:ae:0d:d7:51:87:c4:a2:cd:85:ce:a9:ee:83:1e:62:7f:a3:                  
        41:6e:11:2c:67:a5:dc:b9:bd:2d

Run the display pki certificate filename file-name command to view contents in the local certificate named ca.cer.

<HUAWEI> display pki certificate filename ca.cer
Certificate: 
    Data: 
        Version: 3 (0x2)
        Serial Number:
            9
        Signature Algorithm: SHA256WITHRSAENCRYPTION
        Issuer: CN=abc ,O=In,C=Huawei
        Validity
            Not Before: Jun  21  15:24:46 2014 GMT
            Not After : Jun  21  15:24:46 2015 GMT
        Subject: CN=pkiram ,O=HTIPL,C=In
        Subject Public Key Info:
            Public Key Algorithm: RSA Algorithm
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    fb:d2:64:5d:41:a5:ec:96:d7:d0:e6:a1:10:31:93:
                    7d:3e:33:d4:20:33:84:12:b7:d4:6b:ea:a:4a:67:
                    cb:9d:2:d0:8:2:9:1d:8a:a4:63:f4:8e:17:ce:
                    19:d0:a7:fa:b8:d9:70:2a:7a:6f:2f:59:32:26:97:
                    5d:78:f8:6f
                Exponent:  257  (0x101)
         X509v3 extensions:
                X509v3 Basic Constraints: non-critical
                CA : false
                X509v3 Key Usage: 
                
                X509v3 Extended Key Usage: 
                            
                       
    Signature Algorithm: SHA256WITHRSAENCRYPTION
        a:f:bb:9:2f:1a:ac:c8:69:7b:36:6e:b0:4b:8d:f:d0:a0:
        c2:8a:d4:d6:11:ac:1:69:40:75:d1:99:28:62:a4:22:bf:9a:
        4e:38:25:40:b4:5f:8c:4e:ef:1b:7c:85:1a:c5:72:ac:ba:d2:
        14:26:bf:34:21:1e:15:39:8f:1e:d1:47:64:74:c3:e6:6d:ae:
        c:f5:d9:4:7:4d:17:22:11:87:28:22:a4:5c:d5:b8:dd:68:
        75:e0:4c:16:5e:51:14:17:4c:1b:38:26:3e:b1:fb:cf:39:4f:
        56:8a:ad:3f:7c:c9:32:a9:ae:25:f7:c2:31:49:53:ee:53:59:
        9c:92

Run the display pki ca_list command to view contents in CA certificates that are imported into the memory of the device.

<HUAWEI> display pki ca_list
Certificate: 
    Data: 
        Version: 3 (0x2)
        Serial Number:
            0:ed:5d:c6:13:15:e0:28:83
        Signature Algorithm: SHA1WITHRSA
        Issuer: CN=abc ,O=HTIPL,C=In
        Validity
            Not Before: Jun  17  6:47:27 2014 GMT
            Not After : Jun  17  6:47:27 2015 GMT
        Subject: CN= abc,O=HTIPL,C=In
        Subject Public Key Info:
            Public Key Algorithm: RSA Algorithm
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    c0:8c:fb:d2:bd:73:90:8d:2d:fd:eb:ff:1f:16:aa:
                    31:34:72:29:24:53:f6:61:22:8e:d4:f2:db:89:3f:
                    bf:80:1b:1d:ec:92:21:53:3:9e:1d:63:3f:70:28:
                    4:15:79:63:fe:7b:95:f4:bf:55:e1:8b:36:47:d7:
                    a3:9f:db:c8:a0:a2:12:20:64:7a:27:b2:b1:b5:72:
                    3:b0:be:f6:cc:2d:5c:f3:e3:4a:b5:73:3f:95:fd:
                    e7:c8:f4:49:39:e2:ee:60:5a:70:c0:de:5f:8b:ec:
                    87:7c:6f:41:62:c0:f4:af:93:83:27:6f:9c:c6:97:
                    57:89:2b:83:f:7d:ce:7b
                Exponent:  257  (0x101)
         X509v3 extensions:
                 X509v3 Basic Constraints: non-critical
                CA : true
                 X509v3 Key Usage: 
                Certificate Sign,  CRL Sign,       
                 X509v3 Extended Key Usage: 
                               
                
    Signature Algorithm: SHA1WITHRSA
        29:33:9e:9:b0:5:e0:65:fa:3d:7e:2:ee:6f:94:9b:24:c3:
        7a:f1:95:1f:dc:b8:9f:23:4c:8c:55:cf:4f:f5:85:89:67:82:
        3c:2a:7d:fa:39:b7:24:9c:1:b5:10:2b:5:2b:da:5d:c0:84:
        3b:cf:b1:a1:36:5b:ae:46:da:f:e0:97:4c:b6:4d:c9:60:67:
        87:e8:6e:5e:37:ea:2:4e:c1:b7:32:94:76:48:2f:a1:dd:97:
        d2:c9:8e:2b:b4:b4:91:7e:b9:2f:aa:a1:82:84:14:ea:f2:c5:
        54:e0:52:e4:4c:ee:a7:a4:dd:a1:a7:47:7d:67:76:7d:d5:fd:
        90:17

Run the display pki cert_list command to view contents in the local certificate that is imported into the memory of the device.

<HUAWEI> display pki cert_list
Certificate: 
    Data: 
        Version: 3 (0x2)
        Serial Number:
            8
        Signature Algorithm: SHA256WITHRSAENCRYPTION
        Issuer: CN=abc  ,O=HTIPL,C=In
        Validity
            Not Before: Jun  21  15:19:0 2014 GMT
            Not After : Jun  21  15:19:0 2015 GMT
        Subject: CN= pkihuawei,O=Huawei,C=In
        Subject Public Key Info:
            Public Key Algorithm: RSA Algorithm
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    fb:d2:64:5d:41:a5:ec:96:d7:d0:e6:a1:10:31:93:
                    7d:3e:33:d4:20:33:84:12:b7:d4:6b:ea:a:4a:67:
                    cb:9d:2:d0:8:2:9:1d:8a:a4:63:f4:8e:17:ce:
                    19:d0:a7:fa:b8:d9:70:2a:7a:6f:2f:59:32:26:97:
                    5d:78:f8:6f
                Exponent:  257  (0x101)
         X509v3 extensions:         
               X509v3 Basic Constraints: non-critical
                CA : false
               X509v3 Key Usage: 
                   
               X509v3 Extended Key Usage: 
                                   
    Signature Algorithm: SHA256WITHRSAENCRYPTION
        50:de:16:f7:6f:19:e6:82:d5:86:bb:ad:a9:8e:6c:1a:19:3e:
        5b:77:56:48:b9:83:88:f2:e7:16:b1:78:d:a:33:cb:15:ac:
        5a:79:b7:5b:f5:4d:e4:8f:37:cb:a3:7e:3a:82:93:cd:77:8d:
        97:6c:da:ac:b2:e4:3b:47:d5:d2:64:42:e1:bf:74:79:b6:eb:
        82:ee:c7:f5:ec:59:b6:f8:77:25:4c:cf:23:ef:2d:38:28:1a:
        ec:4b:98:d7:42:32:2b:c0:d6:b2:c8:86:93:f3:a0:83:a8:ce:
        eb:1a:3b:eb:2a:50:7:4a:ce:46:92:e3:f6:79:d7:60:94:b8:
        54:50
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 22187

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next