Topology
[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]
[PC-1] eth0: 192.168.1.1/24
[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24
[PC-2] eth0: 192.168.2.1/24
Certificate signing request (CSR)
ROUTER-1#clock set 21:00:00 7 Oct 2012
ROUTER-1(config)#hostname router-1
router-1(config)#ip domain-name lab.net
router-1(config)#crypto pki trustpoint INCAWETRUST
router-1(ca-trustpoint)#enrollment terminal pem
router-1(ca-trustpoint)#fqdn router-1.lab.net
router-1(ca-trustpoint)#subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
router-1(ca-trustpoint)#revocation-check none
router-1(ca-trustpoint)#rsakeypair router-1.lab.net 1024
router-1(config)#crypto key zeroize rsa
router-1(config)#crypto key generate rsa general-keys label router-1.lab.net export modulus 1024
router-1(config)#crypto pki enroll INCAWETRUST
% Start certificate enrollment .. % The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net % The subject name in the certificate will include: router-1.lab.net % Include the router serial number in the subject name? [yes/no]:no
% Include an IP address in the subject name? [no]:no
Display Certificate Request to terminal? [yes/no]:yes
Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq /5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1 t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ QlA= -----END CERTIFICATE REQUEST----- ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]:no
ROUTER-2#clock set 21:02:00 7 Oct 2012
ROUTER-2(config)#hostname router-2
router-2(config)#ip domain-name lab.net
router-2(config)#crypto pki trustpoint INCAWETRUST
router-2(ca-trustpoint)#enrollment terminal pem
router-2(ca-trustpoint)#fqdn router-2.lab.net
router-2(ca-trustpoint)#subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
router-2(ca-trustpoint)#revocation-check none
router-2(ca-trustpoint)#rsakeypair router-2.lab.net 1024
router-2(ca-trustpoint)#crypto key generate rsa general-keys label router-2.lab.net export modulus 1024
router-2(config)#crypto pki enroll INCAWETRUST
% Start certificate enrollment .. % The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net % The subject name in the certificate will include: router-2.lab.net % Include the router serial number in the subject name? [yes/no]:no
% Include an IP address in the subject name? [no]:no
Display Certificate Request to terminal? [yes/no]:yes
Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95 LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK Uf8= -----END CERTIFICATE REQUEST----- ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]:no
CA configuration
LINUX-CA#mkdir /etc/ssl/CA
LINUX-CA#mkdir /etc/ssl/newcerts
LINUX-CA#echo '01' > /etc/ssl/CA/serial
LINUX-CA#touch /etc/ssl/CA/index.txt
LINUX-CA#cat /etc/ssl/openssl.cnf
... [ CA_default ] dir = /etc/ssl database = $dir/CA/index.txt certificate = $dir/certs/cacert.pem serial = $dir/CA/serial private_key = $dir/private/cakey.pem ... string_mask = default ... LINUX-CA#openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key ...................++++++ ................++++++ writing new private key to 'cakey.pem' Enter PEM pass phrase:MY_SECRET
Verifying - Enter PEM pass phrase:MY_SECRET
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CAnet
Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:canet.lab.net
Email Address []:root@lab.net
LINUX-CA#mv cakey.pem /etc/ssl/private/.
LINUX-CA#mv cacert.pem /etc/ssl/certs/.
LINUX-CA#cat /etc/ssl/certs/cacert.pem
-----BEGIN CERTIFICATE----- MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33 5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N /rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1 Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem Nsick9kDj2oiDw+f6mY= -----END CERTIFICATE-----
Signing CSR
LINUX-CA#cat router-1.csr
-----BEGIN CERTIFICATE REQUEST----- MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq /5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1 t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ QlA= -----END CERTIFICATE REQUEST----- LINUX-CA#openssl ca -in router-1.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 7 19:05:16 2012 GMT Not After : Oct 7 19:05:16 2013 GMT Subject: countryName = ES stateOrProvinceName = CAT organizationName = CAnet organizationalUnitName = Engineering commonName = router-1.lab.net X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F X509v3 Authority Key Identifier: keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8 Certificate is to be certified until Oct 7 19:05:16 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net Validity Not Before: Oct 7 19:05:16 2012 GMT Not After : Oct 7 19:05:16 2013 GMT Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c3:24:69:e9:69:df:be:2e:5f:f6:0d:d1:ae:99: 82:56:62:70:71:4f:6b:96:c9:29:6a:ff:94:41:86: 92:a2:83:20:d6:83:fd:56:10:17:f1:73:dd:88:99: d2:ae:cf:8d:fc:19:7a:0b:5b:ea:fa:49:7c:09:91: eb:33:be:c1:6e:2a:a2:8d:7d:db:79:cc:2f:32:64: 27:00:43:35:a1:33:a4:4b:df:a5:10:2a:14:59:5e: af:a4:04:61:a1:0f:24:c8:0c:1c:7c:86:03:84:b8: 2f:52:9c:ae:80:09:aa:6f:3e:64:76:63:bd:fc:4c: 14:b1:2d:ad:34:e6:85:48:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F X509v3 Authority Key Identifier: keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8 Signature Algorithm: sha1WithRSAEncryption 84:65:11:b5:db:df:f4:ce:d5:3c:d7:a4:d3:10:b8:cc:d5:c5: 35:c3:7e:95:e6:d2:0b:e2:a9:0e:f6:b4:e7:a4:00:f4:0b:d2: 04:a3:b1:bc:ba:44:4d:6a:a9:a2:f2:84:ea:5b:70:97:52:46: 1b:fd:86:74:7f:75:88:50:6e:10:59:c5:20:84:a6:b4:8f:59: 30:7f:8c:a7:7e:13:60:85:de:5a:a4:8f:ce:05:ba:7c:c6:84: fd:10:d0:86:c0:f3:b6:49:02:da:7b:9c:29:c8:8a:d9:7d:c3: d1:51:cd:0e:f4:b1:4a:2d:6c:26:16:06:ba:19:c2:79:8e:3f: e3:4e -----BEGIN CERTIFICATE----- MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2 SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg== -----END CERTIFICATE----- Data Base Updated LINUX-CA#cat router-2.csr
-----BEGIN CERTIFICATE REQUEST----- MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95 LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK Uf8= -----END CERTIFICATE REQUEST----- LINUX-CA#openssl ca -in router-2.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Oct 7 19:06:24 2012 GMT Not After : Oct 7 19:06:24 2013 GMT Subject: countryName = ES stateOrProvinceName = CAT organizationName = CAnet organizationalUnitName = Engineering commonName = router-2.lab.net X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A X509v3 Authority Key Identifier: keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8 Certificate is to be certified until Oct 7 19:06:24 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net Validity Not Before: Oct 7 19:06:24 2012 GMT Not After : Oct 7 19:06:24 2013 GMT Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:a9:f9:76:12:60:11:73:d6:20:49:12:85:d2:bd: 68:ec:94:c4:a6:0a:53:c6:50:bb:ae:55:b3:a7:2a: 67:bc:4a:45:94:29:bc:14:50:ac:cf:ef:79:d2:4b: 33:10:cb:56:c9:aa:64:5a:36:fd:99:28:12:ff:ed: f9:91:a9:47:04:28:be:a6:14:b6:b3:ee:2f:70:86: 95:22:78:ee:b9:40:b1:1a:5b:53:bd:b2:43:2e:c1: 9c:e2:c2:0c:d1:fe:b6:cf:c7:e0:32:66:0f:f7:a8: 8e:96:2c:a9:bf:35:ac:83:64:ad:74:d9:f7:05:b8: 3f:79:2c:26:31:e0:07:70:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A X509v3 Authority Key Identifier: keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8 Signature Algorithm: sha1WithRSAEncryption 55:06:3f:87:2a:2b:a3:a4:e3:c9:c2:26:34:f5:e6:36:d0:52: 08:41:4b:0c:34:48:b9:9e:2d:b6:ad:33:02:a3:2c:84:78:ed: a5:9c:f3:cf:1e:6b:6a:da:58:93:d4:22:25:91:37:44:5b:84: 76:40:e4:b1:55:94:1d:70:55:ce:06:c3:7e:2d:0f:b7:51:63: fc:74:1f:e4:34:4f:38:45:16:8e:bd:fe:36:7b:c0:ba:97:ce: 97:d5:0e:16:1b:a4:46:e1:a8:3a:5f:77:a7:9b:c4:3c:e5:78: 58:d4:5f:f5:c6:91:05:5a:b5:2c:93:8b:c1:65:f3:45:6f:0f: 7f:22 -----BEGIN CERTIFICATE----- MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG 4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig== -----END CERTIFICATE----- Data Base Updated LINUX-CA#ls -l /etc/ssl/newcerts
total 8 -rw-r--r-- 1 root root 3104 oct 7 21:05 01.pem -rw-r--r-- 1 root root 3104 oct 7 21:06 02.pem
Importing CA certificate
router-1(config)#crypto pki authenticate INCAWETRUST
Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE----- MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33 5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N /rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1 Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem Nsick9kDj2oiDw+f6mY= -----END CERTIFICATE-----
Certificate has the following attributes: Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B % Do you accept this certificate? [yes/no]:yes
Trustpoint CA certificate accepted. % Certificate successfully imported
router-2(config)#crypto pki authenticate INCAWETRUST
Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE----- MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33 5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N /rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1 Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem Nsick9kDj2oiDw+f6mY= -----END CERTIFICATE-----
Certificate has the following attributes: Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B % Do you accept this certificate? [yes/no]:yes
Trustpoint CA certificate accepted. % Certificate successfully imported
Importing signed certificate
router-1(config)#crypto pki import INCAWETRUST certificate
Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE----- MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2 SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg== -----END CERTIFICATE-----
% Router Certificate successfully imported
router-2(config)#crypto pki import INCAWETRUST certificate
Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself-----BEGIN CERTIFICATE----- MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG 4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig== -----END CERTIFICATE-----
% Router Certificate successfully imported
Configuring static crypto maps
router-1(config)#crypto isakmp policy 1
router-1(config-isakmp)#authentication rsa-sig
router-1(config-isakmp)#encryption aes
router-1(config-isakmp)#group 2
router-1(config-isakmp)#lifetime 86400
router-1(config)#crypto isakmp aggressive-mode disable
router-1(config)#crypto isakmp enable
router-1(config)#ip access-list extended CRYPTO_ACL
router-1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-1(config)#crypto map CRYPTO_MAP 1 ipsec-isakmp
router-1(config-crypto-map)#set peer 12.12.12.2
router-1(config-crypto-map)#match address CRYPTO_ACL
router-1(config-crypto-map)#set transform-set TRANSFORM_SET
router-1(config-crypto-map)#set pfs group2
router-1(config)#interface fa0/0
router-1(config-if)#crypto map CRYPTO_MAP
router-1(config-if)#ip nat outside
router-1(config)#interface fa0/1
router-1(config-if)#ip nat inside
router-1(config)#ip route 192.168.2.0 255.255.255.0 12.12.12.2
router-1(config)#ip access-list extended ACL_NONAT
router-1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config-ext-nacl)#permit ip any any
router-1(config)#ip nat inside source list ACL_NONAT interface fa0/0 overload
router-2(config)#crypto isakmp policy 1
router-2(config-isakmp)#authentication rsa-sig
router-2(config-isakmp)#encryption aes
router-2(config-isakmp)#hash sha
router-2(config-isakmp)#group 2
router-2(config-isakmp)#lifetime 86400
router-2(config)#crypto isakmp aggressive-mode disable
router-2(config)#crypto isakmp enable
router-2(config)#ip access-list extended CRYPTO_ACL
router-2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-2(config)#crypto map CRYPTO_MAP 1 ipsec-isakmp
router-2(config-crypto-map)#set peer 12.12.12.1
router-2(config-crypto-map)#match address CRYPTO_ACL
router-2(config-crypto-map)#set transform-set TRANSFORM_SET
router-2(config-crypto-map)#set pfs group2
router-2(config)#interface fa0/0
router-2(config-if)#crypto map CRYPTO_MAP
router-2(config-if)#ip nat outside
router-2(config)#interface fa0/1
router-2(config-if)#ip nat inside
router-2(config)#ip route 192.168.1.0 255.255.255.0 12.12.12.1
router-2(config)#ip access-list extended ACL_NONAT
router-2(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config-ext-nacl)#permit ip any any
router-2(config)#ip nat inside source list ACL_NONAT interface fa0/0 overload
No comments:
Post a Comment