Xin mọi người giúp đỡ về Self-signed Certificate [Archive]

phulieu2007

10-05-2010, 08:38 AM

Mình có đọc bài có nói về Self-signed Certificate.Các dòng lệnh sau:

---------------------------------------------------------------------
crypto pki trustpoint TP-self-signed-427038573
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-427038573
revocation-check none
rsakeypair TP-self-signed-427038573
!
crypto pki certificate chain TP-self-signed-427038573
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323730 33383537 33301E17 0D303830 33313630 38343935
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 37303338
35373330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
quit
-----------------------------------------------------------------------

-Khi thao tác các dòng lệnh đó,thì không ra kết quả như vậy,đến giòng lệnh "crypto pki certificate chain TP-self-signed-427038573
certificate self-signed 01" thi được yêu cầu nhập vào mã hexa cho chứng chỉ!

-Mọi người giúp đỡ với.Câu lệnh nào để tạo ra self-signed certificate

-Cám ơn vì đã quan tâm!

dangquangminh

19-05-2010, 12:30 AM

bạn làm lại và bắt đầu bằng lệnh crypto pki trustpoint trước.

crypto pki trustpoint local

enrollment selfsigned

Chú ý là trong chain mode vẫn có thể xóa vào tạo lại các certificates

phulieu2007

20-05-2010, 04:34 PM

Vầng,em cám ơn anh!

-Em làm LAB về ipsec VPN trên GNS3 có sử dụng CA,nhưng khi tắt GNS đi,khởi động lại thì lúc thiết lập VPN bị thông báo lỗi là : không có CA chứng thực!

-Làm cách nào để khi bật và tắt Router đi,thì khi khới động lại không xảy ra hiện tượng đó hả aMinh!

phamminhtuan

21-05-2010, 02:15 AM

Chào bạn,

Bạn đồng bộ hóa lại thời gian rồi thử connect lại.

phulieu2007

21-05-2010, 05:07 PM

Cám ơn bạn!Minh dùng Win 7 và giả lập bằng con router 7200.Nó tự nhận thời gian theo thời gian trên Win 7.Vậy có cần đồng bộ thời gian không?Vì mình 'show clock' cả 3 con đều đồng bộ thời gian.Cấu hình như sau:

CN1#sh run
Building configuration...

Current configuration : 3457 bytes
!
! Last configuration change at 02:06:12 UTC Sat May 23 2009
! NVRAM config last updated at 02:06:13 UTC Sat May 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CN1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
ip domain name vnpro.org
!
CN1#sh run
Building configuration...

Current configuration : 3457 bytes
!
! Last configuration change at 02:06:12 UTC Sat May 23 2009
! NVRAM config last updated at 02:06:13 UTC Sat May 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CN1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
ip domain name vnpro.org
crypto pki trustpoint ca_server
enrollment retry count 5
enrollment retry period 3
enrollment url http://172.26.26.51:80
revocation-check none
!
!
crypto pki certificate chain ca_server
certificate 02
308201B1 3082015B A0030201 02020102 300D0609 2A864886 F70D0101 04050030
2D312B30 29060355 04031422 766E7072 6F40766E 70726F2E 6F726720 4C3D5450
2E48434D 20433D56 6965744E 616D301E 170D3039 30353233 30313539 32385A17
0D303931 32303930 31353932 385A301E 311C301A 06092A86 4886F70D 01090216
0D434E31 2E766E70 726F2E6F 7267305C 300D0609 2A864886 F70D0101 01050003
4B003048 024100CB E63418D5 DFA1860C 76D2572C DD8148B8 A4702708 198826E8
360D0FC8 A1C27345 C5AE835E 5436D595 D594F366 9795D458 E5E7E89C A0D915FC
E2C68555 7F2BCB02 03010001 A3753073 30240603 551D1F04 1D301B30 19A017A0
15861368 7474703A 2F2F3137 322E3236 2E32362E 3531300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 43625F84 CA23F94D FE6BC136 4F9D5A0B
CE10D3F5 301D0603 551D0E04 1604144B EAA96D9D ED0507E0 3564EF67 22109109
4EC1C930 0D06092A 864886F7 0D010104 05000341 000B925B B88E5936 BFCDCCA1
0A12EC26 70DCF4EF 38C368B8 61B5C501 EB76006E A5DD4BF6 79614177 E62F47DC
213F9486 68FB0F8B 5A6CD1A0 642B21F8 0510B759 32
quit
certificate ca 01
308201AE 30820158 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2D312B30 29060355 04031422 766E7072 6F40766E 70726F2E 6F726720 4C3D5450
2E48434D 20433D56 6965744E 616D301E 170D3039 30353233 30313436 35305A17
0D313030 35323330 31343635 305A302D 312B3029 06035504 03142276 6E70726F
40766E70 726F2E6F 7267204C 3D54502E 48434D20 433D5669 65744E61 6D305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100AA25 32DE1586 E122B45E
F9E2E46E E4E951D2 FA00822C B6AF1CAA 4A56BFA9 77792669 BE3CF9D4 F4BA5A75
192E7AE9 683875E7 913763B8 F4823ABD BB826E4E A4F90203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1443625F 84CA23F9 4DFE6BC1 364F9D5A 0BCE10D3
F5301D06 03551D0E 04160414 43625F84 CA23F94D FE6BC136 4F9D5A0B CE10D3F5
300D0609 2A864886 F70D0101 04050003 41000F41 D904EF9D B6806210 1310DAAC
34B56337 2C9BB45D F4C10E8A 904ADC5D C14F56F9 25726979 E3D21E2F 0659A5F9
149C0374 2A8CB14C 55C18FA4 17381277 0AE2
quit
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map xxx 100 ipsec-isakmp
set peer 172.30.2.2
set transform-set vpn
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 172.30.1.2 255.255.255.0
duplex auto
speed auto
crypto map xxx
!
interface FastEthernet0/1
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 172.30.1.1
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179924
ntp server 172.26.26.51
!
end

CN2#sh run
Building configuration...

Current configuration : 3459 bytes
!
! Last configuration change at 02:05:36 UTC Sat May 23 2009
! NVRAM config last updated at 02:05:36 UTC Sat May 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CN2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
ip domain name vnpro.org
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint ca_server
enrollment retry count 5
enrollment retry period 3
enrollment url http://172.26.26.51:80
revocation-check none
!
!
crypto pki certificate chain ca_server
certificate 03
308201B1 3082015B A0030201 02020103 300D0609 2A864886 F70D0101 04050030
2D312B30 29060355 04031422 766E7072 6F40766E 70726F2E 6F726720 4C3D5450
2E48434D 20433D56 6965744E 616D301E 170D3039 30353233 30323033 35335A17
0D303931 32303930 32303335 335A301E 311C301A 06092A86 4886F70D 01090216
0D434E32 2E766E70 726F2E6F 7267305C 300D0609 2A864886 F70D0101 01050003
4B003048 024100D3 EEF9FFEE F1A97117 79859161 66C0D64E 64637E42 0A894EBE
E6F7B6D8 9F2B2F11 A3364525 D47C6176 CA149D25 A132928E 0D03D2F6 84423F7D
CB7C349F 76F23302 03010001 A3753073 30240603 551D1F04 1D301B30 19A017A0
15861368 7474703A 2F2F3137 322E3236 2E32362E 3531300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 43625F84 CA23F94D FE6BC136 4F9D5A0B
CE10D3F5 301D0603 551D0E04 1604146D F058828C A88410F6 DD3FAF12 DADD03FA
79212230 0D06092A 864886F7 0D010104 05000341 009EC648 4F31F394 EC4EB5E2
9AEACD6C 311147D2 719C1035 92327225 2AE2DD3D DE316FD6 213C4F0A 115A45F3
C7EB8C40 00D3923C A88C7FD4 F103F7C3 396F5D6E 19
quit
certificate ca 01
308201AE 30820158 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2D312B30 29060355 04031422 766E7072 6F40766E 70726F2E 6F726720 4C3D5450
2E48434D 20433D56 6965744E 616D301E 170D3039 30353233 30313436 35305A17
0D313030 35323330 31343635 305A302D 312B3029 06035504 03142276 6E70726F
40766E70 726F2E6F 7267204C 3D54502E 48434D20 433D5669 65744E61 6D305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100AA25 32DE1586 E122B45E
F9E2E46E E4E951D2 FA00822C B6AF1CAA 4A56BFA9 77792669 BE3CF9D4 F4BA5A75
192E7AE9 683875E7 913763B8 F4823ABD BB826E4E A4F90203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1443625F 84CA23F9 4DFE6BC1 364F9D5A 0BCE10D3
F5301D06 03551D0E 04160414 43625F84 CA23F94D FE6BC136 4F9D5A0B CE10D3F5
300D0609 2A864886 F70D0101 04050003 41000F41 D904EF9D B6806210 1310DAAC
34B56337 2C9BB45D F4C10E8A 904ADC5D C14F56F9 25726979 E3D21E2F 0659A5F9
149C0374 2A8CB14C 55C18FA4 17381277 0AE2
quit
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto map xxx 100 ipsec-isakmp
set peer 172.30.1.2
set transform-set vpn
match address 101
!
!
!
!
interface FastEthernet0/0
ip address 10.0.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.30.2.2 255.255.255.0
duplex auto
speed auto
crypto map xxx
!
ip route 0.0.0.0 0.0.0.0 172.30.2.1
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp clock-period 17179886
ntp server 172.26.26.51
!
end

ca_server#sh run
Building configuration...

Current configuration : 2217 bytes
!
! Last configuration change at 01:47:04 UTC Sat May 23 2009
! NVRAM config last updated at 01:32:17 UTC Sat May 23 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ca_server
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server vnpro
database level names
issuer-name CN=vnpro@vnpro.org L=TP.HCM C=VietNam
grant auto
lifetime crl 24
lifetime certificate 200
lifetime ca-certificate 365
cdp-url http://172.26.26.51
!
crypto pki trustpoint vnpro
revocation-check crl
rsakeypair vnpro
!
!
crypto pki certificate chain vnpro
certificate ca 01
308201AE 30820158 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2D312B30 29060355 04031422 766E7072 6F40766E 70726F2E 6F726720 4C3D5450
2E48434D 20433D56 6965744E 616D301E 170D3039 30353233 30313436 35305A17
0D313030 35323330 31343635 305A302D 312B3029 06035504 03142276 6E70726F
40766E70 726F2E6F 7267204C 3D54502E 48434D20 433D5669 65744E61 6D305C30
0D06092A 864886F7 0D010101 0500034B 00304802 4100AA25 32DE1586 E122B45E
F9E2E46E E4E951D2 FA00822C B6AF1CAA 4A56BFA9 77792669 BE3CF9D4 F4BA5A75
192E7AE9 683875E7 913763B8 F4823ABD BB826E4E A4F90203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1443625F 84CA23F9 4DFE6BC1 364F9D5A 0BCE10D3
F5301D06 03551D0E 04160414 43625F84 CA23F94D FE6BC136 4F9D5A0B CE10D3F5
300D0609 2A864886 F70D0101 04050003 41000F41 D904EF9D B6806210 1310DAAC
34B56337 2C9BB45D F4C10E8A 904ADC5D C14F56F9 25726979 E3D21E2F 0659A5F9
149C0374 2A8CB14C 55C18FA4 17381277 0AE2
quit
!
!
!
!
!
!
interface Loopback1
ip address 172.26.26.51 255.255.255.0
!
interface FastEthernet0/0
ip address 172.30.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.30.2.1 255.255.255.0
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
ntp master 5
!
end

-Mình làm theo bài hướng dẫn trên VNPRO.Mình đã thử dùng câu lệnh "ntp" để đồng bộ thời gian,nhưng khi khởi động lại,ipSEC VPN không thiết lập được.báo lỗi là không tìm thấy CA.Mong bạn giúp đỡ.Cám ơn nhiều!

ngango_

26-05-2010, 10:20 PM

hic, cái này mình cũng đang tìm hiểu, chả hiểu gì cả, khó quá