所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

S1720, S2700, S5700, S6720 V200R012(C00&C20) 配置指南-安全

本文档介绍了安全的配置,具体包括ACL配置、本机防攻击配置、MFF配置、攻击防范配置、流量抑制及风暴控制配置、ARP安全配置、端口安全配置、DHCP Snooping配置、ND Snooping配置、PPPoE+配置、IPSG配置、SAVI配置、URPF配置、Keychain配置、MPAC配置、PKI配置、业务与管理隔离配置、安全风险查询配置
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置通过SCEP协议自动为PKI实体申请本地证书示例

配置通过SCEP协议自动为PKI实体申请本地证书示例

组网需求

图16-11所示,某企业在网络边界处部署了Switch作为出口网关,Switch向公网上的CA服务器在线申请本地证书。

用户希望通过简单快捷的方式为PKI实体申请本地证书,申请成功后能自动将证书导入到设备内存中,而且证书过期时,能自动更新证书。此时,可以配置通过SCEP协议自动为PKI实体申请本地证书实现上述需求。

图16-11  配置通过SCEP协议自动为PKI实体申请本地证书组网图

说明:

本举例只列出了申请证书时Switch侧的相关配置,CA服务器的部署和配置请参见相关产品手册。这里的CA服务器以Windows Server 2008自带的“证书服务”,并安装了SCEP插件为例进行说明。

配置思路

采用如下思路配置通过SCEP协议自动为PKI实体申请本地证书:

  1. 配置接口的IP地址及到CA服务器的静态路由,实现Switch和CA服务器之间路由互通。
  2. 创建RSA密钥对,实现申请本地证书时携带公钥。
  3. 配置PKI实体,实现申请本地证书时携带PKI实体信息用来标识PKI实体的身份。
  4. 通过SCEP协议申请和自动更新证书,实现自动安装证书,并且证书过期时,能自动更新证书。

数据准备

申请证书前需要以离线方式从CA服务器上获取数字指纹和挑战密码。这里假设数字指纹为“e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0”和挑战密码为“6AE73F21E6D3571D”

本文以Windows Server 2008作为CA服务器为例,可以通过登录网页http://host:port/certsrv/mscep_admin/获得CA证书指纹信息和挑战密码,其中host为CA服务器的IP地址,port为CA服务器的端口号。

操作步骤

  1. 配置接口的IP地址及到CA服务器的静态路由。

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 100 200
    [Switch] interface vlanif 100
    [Switch-Vlanif100] ip address 10.2.0.2 255.255.255.0
    [Switch-Vlanif100] quit
    [Switch] interface vlanif 200
    [Switch-Vlanif200] ip address 10.1.0.2 255.255.255.0
    [Switch-Vlanif200] quit
    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type trunk
    [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port link-type trunk
    [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
    [Switch-GigabitEthernet0/0/2] quit
    [Switch] ip route-static 10.3.0.0 255.255.255.0 10.2.0.1

  2. 创建RSA密钥对。

    # 创建一个2048位的RSA密钥对rsa_scep,并设置为可以从设备上导出。

    [Switch] pki rsa local-key-pair create rsa_scep exportable
     Info: The name of the new key-pair will be: rsa_scep 
     The size of the public key ranges from 2048 to 4096.
     Input the bits in the modules:2048
     Generating key-pairs...       ..................+++
    .......................+++ 
    

  3. 配置PKI实体,标识申请证书PKI实体的身份信息。

    # 配置PKI实体为user01。

    [Switch] pki entity user01
    [Switch-pki-entity-user01] common-name hello
    [Switch-pki-entity-user01] country cn
    [Switch-pki-entity-user01] email user@test.abc.com
    [Switch-pki-entity-user01] fqdn test.abc.com
    [Switch-pki-entity-user01] ip-address 10.2.0.2
    [Switch-pki-entity-user01] state jiangsu
    [Switch-pki-entity-user01] organization huawei
    [Switch-pki-entity-user01] organization-unit info
    [Switch-pki-entity-user01] quit
    

  4. 通过SCEP协议申请和更新证书。

    [Switch] pki realm abc
    [Switch-pki-realm-abc] ca id ca_root
    [Switch-pki-realm-abc] entity user01
    [Switch-pki-realm-abc] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
    [Switch-pki-realm-abc] enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
    [Switch-pki-realm-abc] rsa local-key-pair rsa_scep
    [Switch-pki-realm-abc] enrollment-request signature message-digest-method sha-384
    [Switch-pki-realm-abc] password cipher 6AE73F21E6D3571D
    

  5. 开启证书自动注册和更新功能,指定证书有效期到60%时自动更新并同时更新RSA密钥。

    [Switch-pki-realm-abc] auto-enroll 60 regenerate 2048
    [Switch-pki-realm-abc] quit
    

    申请本地证书时,设备会先获取CA证书并自动安装CA证书,然后再获取本地证书并自动安装本地证书。获取的CA证书和本地证书名称分别为abc_ca.cer和abc_local.cer。

  6. 验证配置结果。
    1. 证书申请成功后,可执行命令display pki certificate local查看已经导入内存的本地证书的内容。

      [Switch] display  pki certificate local realm abc
       The x509 object type is certificate:                                           
      Certificate:                                                                    
          Data:                                                                       
              Version: 3 (0x2)                                                        
              Serial Number:                                                          
                  48:65:aa:2a:00:00:00:00:3f:c6                                       
          Signature Algorithm: sha1WithRSAEncryption                                  
              Issuer: CN=ca_root                                                      
              Validity                                                                
                  Not Before: Dec 21 11:46:10 2015 GMT                                
                  Not After : Dec 21 11:56:10 2016 GMT                                
              Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello                  
              Subject Public Key Info:                                                
                  Public Key Algorithm: rsaEncryption                                 
                      Public-Key: (2048 bit)                                          
                      Modulus:                                                        
                          00:94:6f:49:bd:6a:f3:d5:07:ee:10:ee:4f:d3:06:               
                          80:59:15:cb:a8:0a:b2:ba:c2:db:52:ec:e9:d1:a7:               
                          72:de:ac:35:df:bb:e0:72:62:08:3e:c5:54:c1:ba:               
                          4a:bb:1b:a9:d9:dc:e4:b6:4d:ca:b3:54:90:b6:8e:               
                          15:a3:6e:2d:b2:9e:9e:7a:33:b0:56:3f:ec:bc:67:               
                          1c:4c:59:c6:67:0f:a7:03:52:44:8c:53:72:42:bd:               
                          6e:0c:90:5b:88:9b:2c:95:f7:b8:89:d1:c2:37:3e:               
                          93:78:fa:cb:2c:20:22:5f:e5:9c:61:23:7b:c0:e9:               
                          fe:b7:e6:9c:a1:49:0b:99:ef:16:23:e9:44:40:6d:               
                          94:79:20:58:d7:e1:51:a1:a6:4b:67:44:f7:07:71:               
                          54:93:4e:32:ff:98:b4:2b:fa:5d:b2:3c:5b:df:3e:               
                          23:b2:8a:1a:75:7e:8f:82:58:66:be:b3:3c:4a:1c:               
                          2c:64:d0:3f:47:13:d0:5a:29:94:e2:97:dc:f2:d1:               
                          06:c9:7e:54:b3:42:2e:15:b8:40:f3:94:d3:76:a1:               
                          91:66:dd:40:29:c3:69:70:6d:5a:b7:6b:91:87:e8:               
                          bb:cb:a5:7e:ec:a5:31:11:f3:04:ab:1a:ef:10:e6:               
                          f1:bd:d9:76:42:6c:2e:bf:d9:91:39:1d:08:d7:b4:               
                          18:53                                                       
                      Exponent: 65537 (0x10001)                                       
              X509v3 extensions:
                  X509v3 Key Usage:
                      Digital Signature, Key Encipherment   
                  X509v3 Subject Alternative Name:                                    
                      IP Address:10.2.0.2, DNS:test.abc.com, email:user@test.abc.com  
                  X509v3 Subject Key Identifier:                                      
                      15:D1:F6:24:EB:6B:C0:26:19:58:88:91:8B:60:42:CE:BA:D5:4D:F3     
                  X509v3 Authority Key Identifier:                                    
                      keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
      5                                                                               
                                                                                      
                  X509v3 CRL Distribution Points:                                     
                                                                                      
                      Full Name:                                                      
                        URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
      t.crl                                                                           
                        URI:http://10.3.0.1:8080/certenroll/ca_root.crl           
                                                                                      
                  Authority Information Access:                                       
                      CA Issuers - URI:http://vasp-e6000-127.china.huawei.com/CertEnro
      ll/vasp-e6000-127.china.huawei.com_ca_root.crt                                  
                      OCSP - URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\v
      asp-e6000-127.china.huawei.com_ca_root.crt                                      
                                                                                      
                  1.3.6.1.4.1.311.20.2:                                               
                      .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
                  X509v3 Basic Constraints: critical                                  
                      CA:FALSE                                                        
                  X509v3 Extended Key Usage:                                          
                      1.3.6.1.5.5.8.2.2   
          Signature Algorithm: sha1WithRSAEncryption                                  
               d2:be:a8:52:6b:03:ce:89:f1:5b:49:d4:eb:2b:9f:fd:59:17:                 
               d4:3c:f1:db:4f:1b:d1:12:ac:bf:ae:59:b4:13:1b:8a:20:d0:                 
               52:6a:f8:a6:03:a6:72:06:41:d2:a7:7d:3f:51:64:9b:84:64:                 
               cf:ec:4c:23:0a:f1:57:41:53:eb:f6:3a:44:92:f3:ec:bd:09:                 
               75:db:02:42:ab:89:fa:c4:cd:cb:09:bf:83:1d:de:d5:4b:68:                 
               8a:a6:5f:7a:e8:b3:34:d3:e8:ec:24:37:2b:bd:3d:09:ed:88:                 
               d8:ed:a7:f8:66:aa:6f:b0:fe:44:92:d4:c9:29:21:1c:b3:7a:                 
               65:51:32:50:5a:90:fa:ae:e1:19:5f:c8:63:8d:a8:e7:c6:89:                 
               2e:6d:c8:5b:2c:0c:cd:41:48:bd:79:74:0e:b8:2f:48:69:df:                 
               02:89:bb:b3:59:91:7f:6b:46:29:7e:22:05:8c:bb:6a:7e:f3:                 
               11:5a:5f:fb:65:51:7d:35:ff:49:9e:ec:d1:2d:7e:73:e5:99:                 
               c6:41:84:0c:50:11:ed:97:ed:15:de:11:22:73:a1:78:11:2e:                 
               34:e6:f5:de:66:0c:ba:d5:32:af:b8:54:26:4f:5b:9e:89:89:                 
               2a:3f:b8:96:27:00:c3:08:3a:e9:e8:a6:ce:4b:5a:e3:97:9e:                 
               6b:dd:f0:72                                                            
                                                                                      
      Pki realm name: abc                                                             
      Certificate file name: abc_local.cer                                            
      Certificate peer name: - 

    2. 证书申请成功后,可执行命令display pki certificate ca查看已经导入内存的CA证书的内容。

      [Switch] display  pki certificate ca realm abc
       The x509 object type is certificate:                                           
      Certificate:                                                                    
          Data:                                                                       
              Version: 3 (0x2)                                                        
              Serial Number:                                                          
                  0c:f0:1a:f3:67:21:44:9a:4a:eb:ec:63:75:5d:d7:5f                     
          Signature Algorithm: sha1WithRSAEncryption                                  
              Issuer: CN=ca_root                                                      
              Validity                                                                
                  Not Before: Jun  4 14:58:17 2015 GMT                                
                  Not After : Jun  4 15:07:10 2020 GMT                                
              Subject: CN=ca_root                                                     
              Subject Public Key Info:                                                
                  Public Key Algorithm: rsaEncryption                                 
                      Public-Key: (2048 bit)                                          
                      Modulus:                                                        
                          00:d9:5f:2a:93:cb:66:18:59:8c:26:80:db:cd:73:               
                          d5:68:92:1b:04:9d:cf:33:a2:73:64:3e:5f:fe:1a:               
                          53:78:0e:3d:e1:99:14:aa:86:9b:c3:b8:33:ab:bb:               
                          76:e9:82:f6:8f:05:cf:f6:83:8e:76:ca:ff:7d:f1:               
                          bc:22:74:5e:8f:4c:22:05:78:d5:d6:48:8d:82:a7:               
                          5d:e1:4c:a4:a9:98:ec:26:a1:21:07:42:e4:32:43:               
                          ff:b6:a4:bd:5e:4d:df:8d:02:49:5d:aa:cc:62:6c:               
                          34:ab:14:b0:f1:58:4a:40:20:ce:be:a5:7b:77:ce:               
                          a4:1d:52:14:11:fe:2a:d0:ac:ac:16:95:78:34:34:               
                          21:36:f2:c7:66:2a:14:31:28:dc:7f:7e:10:12:e5:               
                          6b:29:9a:e8:fb:73:b1:62:aa:7e:bd:05:e5:c6:78:               
                          6d:3c:08:4c:9c:3f:3b:e0:e9:f2:fd:cb:9a:d1:b7:               
                          de:1e:84:f4:4a:7d:e2:ac:08:15:09:cb:ee:82:4b:               
                          6b:bd:c6:68:da:7e:c8:29:78:13:26:e0:3c:6c:72:               
                          39:c5:f8:ad:99:e4:c3:dd:16:b5:2d:7f:17:e4:fd:               
                          e4:51:7a:e6:86:f0:e7:82:2f:55:d1:6f:08:cb:de:               
                          84:da:ce:ef:b3:b1:d6:b3:c0:56:50:d5:76:4d:c7:               
                          fb:75                                                       
                      Exponent: 65537 (0x10001)                                       
              X509v3 extensions:                                                      
                  1.3.6.1.4.1.311.20.2:                                               
                      ...C.A                                                          
                  X509v3 Key Usage: critical                                          
                      Digital Signature, Certificate Sign, CRL Sign                   
                  X509v3 Basic Constraints: critical                                  
                      CA:TRUE                                                         
                  X509v3 Subject Key Identifier:                                      
                      B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C5     
                  X509v3 CRL Distribution Points:                                     
                                                                                      
                      Full Name:                                                      
                        URI:http://vasp-e6000-127.china.huawei.com/CertEnroll/ca_root.
      crl                                                                             
                        URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
      t.crl                                                                           
                                                                                      
                  1.3.6.1.4.1.311.21.1:                                               
                      ...                                                             
          Signature Algorithm: sha1WithRSAEncryption                                  
               52:21:46:b8:67:c8:c3:4a:e7:f8:cd:e1:02:d4:24:a7:ce:50:                 
               be:33:af:8a:49:47:67:43:f9:7f:79:88:9c:99:f5:87:c9:ff:                 
               08:0f:f3:3b:de:f9:19:48:e5:43:0e:73:c7:0f:ef:96:ef:5a:                 
               5f:44:76:02:43:83:95:c4:4e:06:5e:11:27:69:65:97:90:4f:                 
               04:4a:1e:12:37:30:95:24:75:c6:a4:73:ee:9d:c2:de:ea:e9:                 
               05:c0:a4:fb:39:ec:5c:13:29:69:78:33:ed:d0:18:37:6e:99:                 
               bc:45:0e:a3:95:e9:2c:d8:50:fd:ca:c2:b3:5a:d8:45:82:6e:                 
               ec:cc:12:a2:35:f2:43:a5:ca:48:61:93:b9:6e:fe:7c:ac:41:                 
               bf:88:70:57:fc:bb:66:29:ae:73:9c:95:b9:bb:1d:16:f7:b4:                 
               6a:da:03:df:56:cf:c7:c7:8c:a9:19:23:61:5b:66:22:6f:7e:                 
               1d:26:92:69:53:c8:c6:0e:b3:00:ff:54:77:5e:8a:b5:07:54:                 
               fd:18:39:0a:03:ac:1d:9f:1f:a1:eb:b9:f8:0d:21:25:36:d5:                 
               06:de:33:fa:7b:c8:e9:60:f3:76:83:bf:63:c6:dc:c1:2c:e4:                 
               58:b9:cb:48:15:d2:a8:fa:42:72:15:43:ef:55:63:39:58:77:                 
               e8:ae:0f:34                                                            
                                                                                      
      Pki realm name: abc                                                             
      Certificate file name: abc_ca.cer                                               
      Certificate peer name: - 

    3. 配置证书自动更新功能后,当系统检测到时间已经超过了配置的当前证书有效期的60%之后,就会向SCEP服务器发起证书的更新请求。

      由于配置命令auto-enroll时选择了regenerate参数,更新时系统会生成新的RSA密钥对去申请新证书。

配置文件

Switch的配置文件

#
sysname Switch
#
vlan batch 100 200
#
interface Vlanif100                                                             
 ip address 10.2.0.2 255.255.255.0
# 
interface Vlanif200                                                             
 ip address 10.1.0.2 255.255.255.0
# 
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200 
#
ip route-static 10.3.0.0 255.255.255.0 10.2.0.1
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
 entity user01                                                                  
 fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
 rsa local-key-pair rsa_scep                                                    
 password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#                               
 auto-enroll 60 regenerate 
 enrollment-request signature message-digest-method sha-384
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
 fqdn test.abc.com
 ip-address 10.2.0.2
 email user@test.abc.com
#
return
翻译
下载文档
更新时间:2018-12-24

文档编号:EDOC1100038434

浏览量:32511

下载量:938

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页