取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

ASA做本地证书授权相关配置分享

6354
查看次数
22
有帮助
7
评论
asa 本地证书授权(local CA)的配置:
命令行:
ASA(config)# crypto ca server
ASA(config-ca-server)# ?
CA Server configuration commands:
cdp-url CRL Distribution Point to be included in the issued
certificates
database Local Certificate Server database location
configuration
enrollment-retrieval Enrollment-retrieval timeout configuration
exit Exit from Certificate Server entry mode
help Help for crypto ca server configuration commands
issuer-name Issuer name
keysize Configure the size of keypair in bits to generate for
certificate enrollments or for the local CA server
lifetime Lifetime parameters
no Negate a command or set its defaults
otp One-Time Password configuration options
publish-crl Make the CRL available for download via HTTP
renewal-reminder Enrollment renewal-reminder time configuration
shutdown Shutdown the Local Certificate Server
smtp SMTP settings for enrollment E-mail notifications
subject-name-default Subject name default configuration for issued
certificates
ASDM:
182447zr83fmhehfrtyttr.jpg
(个人认为,用ASDM来配置,较容易。)
加入用户:
命令行:
crypto ca server user-db add email dn
ASDM:
182908havvizpv04dvt198.jpg
182907vjj5pbq0z051cwba.jpg
管理用户或者证书(本地证书授权能够“添加/删除/查看/取消/撤销取”消用户或者证书):
命令行:
show crypto ca server user-db
show crypto ca server cert-db
crypto ca server revoke
crypto ca server unrevoke
证书登记:
本地证书授权支持用户通过下面的链接来登记。注意:这个登记只能通过开启了webvpn的端口来完成。
https:///+CSCOCA+/enroll.html
通过命令行来添加的用户,必须要在ASA端allow这个用户的登记请求。crypto ca server user-db allow
通过ASDM添加的用户,默认就已经allow。
产生OTP(one time password一次性密码):
命令行:
ciscoasa(config)# cry ca ser user-db allow testuser1 display-otp
Username: testuser1
OTP: A7B501C0BC8A5EB0
Enrollment Allowed Until: 14:34:25 GMT Sat Apr 11 2015
ASDM:
195454pqb2gmp5xzpomqbm.png
当用户通过网页登记证书时,是这样的:
195712dzjoxa9txlafjuut.png
195715eznt1il4on01cjo6.jpg
195717n9kurn9v1nvtx6az.jpg
195718uzzwbpv633bzbbqw.jpg
195720u2m2oyrykp2g25so.png
195722ehhob2jyrvy4yyyc.jpg
195723b8nnc8j4oiv6mc6m.jpg
若配置了snmp-server,这个OTP和登记信息可以通过邮件的方式发给用户。
注意:
本地证书授权不支持AA failover或者VPN负载均衡
本地证书授权不支持SCEP
本地证书授权不能做其它证书授权的下级。它只能作为根证书授权。
一个ASA仅支持一个本地证书授权
ASA本身不能通过自己的本地证书授权来登记自己的证书。需要用ASA自签名证书。
ASA 自签名证书:
命令行:
crypto ca trustpoint asa-ssl-cert
enrollment self
subject-name CN=myASA,OU=Engineering,O=Companyname
crypto ca enroll asa-ssl-cert
评论
Ning Zhang
Cisco Employee
很好很强大!
Fisheryu
Cisco Employee
沙发
qiangzh2
Cisco Employee
:lol!非常好!非常实用!
fusong
Cisco Employee
shlei
Cisco Employee
很好很强大!
siyzhang
Advisor
非常实用的干货!!!
xupeng
Cisco Employee
谢谢楼主分享
创建
认可您的同行
Content for Community-Ad