Win2003 CAがよく分からなかったので、今までのCAを使った問題は全部実機抜きでやってきたが、さすがにそろそろ設定できないといかんので今日なんとかできるようになった。まったくの初心者なのであれこれで5時間かかりました。
自分用メモとしてCAへenrollできるまでの手順を残す
1.Trustpointを作成
R1(config)#crypto ca trustpoint IE1
R1(ca-trustpoint)#enrollment url http://10.0.0.100/certsrv/mscep/mscep.dll
2.CA認証
R1(config)#crypto ca authenticate IE1
Certificate has the following attributes:
Fingerprint: 50B975B9 223D3069 37D90027 3FA393A7
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
3.CAの確認
R1#show crypto ca trustpoints 1 IE1
Trustpoint IE1:
Subject Name:
cn=cisco
Serial Number: 0E8D8F1A55240E8C4C8C43AE3022FA98
Certificate configured.
CEP URL: http://10.0.0.100

CA自身の証明書のシリアル番号とコマンドライン上のSerial Numberが一致することを確認。

CN=ciscoも正しいことを確認。
4.CAへenrollするためのpasswordの入手

5.CAへenroll
R1(config)#crypto ca enroll IE1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: 手順4のパスワード
Re-enter password: 手順4のパスワード
% The fully-qualified domain name in the certificate will be: R1.ccie.com
% The subject name in the certificate will include: R1.ccie.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 2BC8BAF6
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate IE1 verbose' commandwill show the fingerprint.
CRYPTO_PKI: Fingerprint: 1B890E9D 7488A7F9 28BEF64D 5C3F92E9
Aug 17 07:24:46.179:
R1(config)#
Aug 17 07:27:09.872: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority
6.証明書の発行
この時点でCAの保留中の要求フォルダにR1の証明書があり、これを発行して初めて証明書が有効になる

7.最後の確認
R1#show crypto ca certificates
Certificate(自身のもの)
Status: Available
Certificate Serial Number: 61F431EA000000000008
Certificate Usage: General Purpose
Issuer:
cn=cisco
Subject:
Name: R1.ccie.com
Serial Number: 2BC8BAF6
hostname=R1.ccie.com
serialNumber=2BC8BAF6
CRL Distribution Point:
http://pz0000/CertEnroll/cisco.crl
Validity Date:
start date: 16:16:22 JST Aug 17 2008
end date: 16:26:22 JST Aug 17 2009
Associated Trustpoints: IE1
CA Certificate(CAのもの)
Status: Available
Certificate Serial Number: 0E8D8F1A55240E8C4C8C43AE3022FA98
Certificate Usage: Signature
Issuer:
--More-- cn=cisco
Subject:
cn=cisco
CRL Distribution Point:
http://pz0000/CertEnroll/cisco.crl
Validity Date:
start date: 00:06:51 JST Jun 17 2008
end date: 00:15:03 JST Jun 17 2013
Associated Trustpoints: IE1

Certificate Serial Numberがコマンドライン上のとCAのと同じことを確認
これでCAからR1に対して証明書が発行できた。。。
PR