我不确定是否还有其他更好的方法。思科或其他地方没有关于如何在ssl证书过期后更新证书的良好文档。每两年,我必须面对这个问题, 更新所有路由器的ssl证书。据我所知,您不能续订当前的现有证书,您将必须创建新的信任点,生成新的CSR并导入续订的证书。实际上,只要您使用其他信任点名称,就可以使用之前配置的相同信任点配置。

我再次记录了几年前在以下帖子中所做的那些步骤:

1.使用新名称Symantec2017创建新的Trustpoint
一些基本信息:

  • trustpoint:用于配置和定义证书周围参数的容器
  • crypto ca trustpoint-声明路由器应使用的CA。
  • 主题名称[x.500-name]-在证书申请中指定主题名称。如果未使用subject-name子命令,则默认情况下,将使用路由器全限定域名(FQDN)。在ca-trustpoint配置模式下使用。

16th-M#show crypto key mypubkey all
% Key pair was generated at: 09:55:58 EST Mar 9 2013
Key name: TP-self-signed-2633522734
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A4C55D
1DEEAEDB EAAE75D0 989275A6 B5426968 CB1C0ABE 8E585118 872A84AF 559BE393
A91ECCFB 276561C6 E4D0AEAF 5B5943E8 5690DD8B 256F0BDC B3E8FC6F DB1492AC
AD6AC5B5 FA22C688 436EB5DA E64FAEC8 E8EE1A37 B387A28F 3263A0A4 B85B46FB
4F1AB7DD 5D172666 1CEFBB8C 60654CFB 9DEA11C7 C689E036 21A5329D 59020301 0001
% Key pair was generated at: 17:32:48 EDT Mar 10 2014
Key name: 16th-M.test.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00DF8C50 A98D8C62 1101D434 5AA2E780 730C9866 4E363B78 5A3DE7EE 8C759DFA
348DAD35 E6B3CD46 1D976EEC 79D5B9DD 4E606F03 15C252E9 CA62E231 11CF493B
82DCB66E 1F71FAF7 30215164 4070BF33 190A999A 5B440137 64CF6D68 CDAE9D05
B71E9AC2 D042D2A4 5050D438 5738688C C44BF585 79757D73 8F2934FD 148255EC
F0EC9D13 E47E1A41 038227DA 973ED65C 013C1468 2A63E064 3BDD5018 B6D8C192
49B2914D 25255262 B121021B C69F9D38 D5091C21 A6218924 9914057A 41CD767F
DCB400B3 C489165A 1A62FE63 9C7C7538 9974E710 A9E84F6B 05FBD6D5 0D4D5051
E83B2316 C5037EAF 7B9AE0A0 20D30BF9 7862FD12 5468BBFA 09D103A1 1D2E2876
F5020301 0001

% Key pair was generated at: 13:55:31 EST Nov 22 2015
Key name: TP-self-signed-2633522734.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B03C6F 367C38A3
17EA9CD0 894C5D85 61629C37 F12A0E08 222F7851 E6E07E0A 894BD454 42EDEE0A
C818957A 0FC3863B 2F571747 93E06B6C F52552F3 EE5E72B6 6F2C0B59 0B7F52E7
9AC7DA2A 47D69833 6B32F64D A05DD6B3 360D6325 E3270409 D1020301 0001



16th-M(config)# 
crypto pki trustpoint 赛门铁克2017
enrollment terminal
fqdn 16th-M.test.com
subject-name CN=16th-M.test.com,OU=IT,O=Test,C=CA,ST=Ontario
revocation-check none
rsakeypair 16th-M.test.com
!

2.产生企业社会责任

16th-M(config)#crypto pki enroll 赛门铁克2017
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=16th-M.test.com,OU=IT,O=Test,C=CA,ST=Ontario
% The subject name in the certificate will include: 16th-M.test.com
% Include the router serial number in the subject name? [yes/no]:
no
% Include an IP address in the subject name? [no]:
no
Display Certificate Request to terminal? [yes/no]:
yes
Certificate Request follows:

MIIC6TCCAdECAQAwgYIxEDAOBgNVBAgTB09udGFyaW8xCzAJgNVBAYTAkNBMQww
CgYDVQQKDANHJkQxCzAJBgNVBAsTAklUMR8wHQYDVQQDExxNnRoLU1hcmtoYW0u
Z2ktZGUuY29tMSUwIwYJKoZIhvcNAQkCFhYxNnRoLU1hcmtoW0uZ2ktZGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA34xQqYMYhEB1DRaoueA
cwyYZk42O3haPefujHWd+jSNrTXms81GHZdu7HnVud1OYG8DcJS6cpi4jERz0k7
gty2bh9x+vcwIVFkQHC/MxkKmZpbRAE3ZM9taM2unQW3HprC0ESpFBQ1DhXOGiM
xEv1hXl1fXOPKTT9FIJV7PDsnRPkfhpBA4In2pc+1lwBPBRomPgZDvdUBi22MGS
SbKRTSUlUmKxIQIbxp+dONUJHCGmIYkkmRQFekHNdn/ctACzxkWWhpi/mOcfHU4
mXTnEKnoT2sF+9bVDU1QUeg7IxbFA36ve5rgoCDTC/l4Yv0SVi7+gnRA6EdLih2
9QIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBMCBaAwDQYJKoZI
hvcNAQEFBQADggEBAHoO0tkllzrj0hEw9rcliL8iVzZehBYJAN8l2p8k/EYWetb
AF8qqC+cZiVEh2DQ90V+Lz1/sQE+h8l2EYIPQsHNX4mDgVKTERTH9PrMD45ehBa
kZMxmhWq9wdBSzAaUa55jeiTmdKFp+mi5+eGNe/+EM0ZGSpInYeDA3JTB98gGCP
YgLge/4bRdZP0qstI0a7g/WQWDS11Epgc1H0F2CMYeBzzmJSoro2jpRo0bqKb0Q
BVkW39wVrk2+QB5zAYCf1ZhKi46ZOR/5VP/phDtNo9Qt309rjkNqEJG8xyJXgez
i6aUchapQhqWZ8Bl8tmzq5OKsJW2HaHOw9ZylAA=

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]:

3.发送给Symantec更新证书

几天后,Symantec(赛门铁克)将向您发送电子邮件,以确认您的ssl证书已准备就绪。

4.将中级CA证书导入到您的信任点。
从下载的zip文件中,您将找到几个文件,其中包括两个证书。一个文件名是IntermediateCA.crt,另一个是ssl_certificate.crt。

我们将把IntermediateCA.crt导入到我们新创建的Symantec2017信任点中。

16th-M(config)#crypto pki authenticate 赛门铁克2017

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" 上 a line by itself

-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----

Trustpoint 'Symantec2017' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: 23D5858E BC898610 7CB7AC1E 17F726C5
Fingerprint SHA1: FF67367C 5CD4DE4A E18BCCE1 D70FDABD 7C866135

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported


5.导入SSL证书

ssl_certificate.crt具有Symantec签名的ssl证书,该证书将导入到路由器中。

16th-M(config)#crypto pki import 赛门铁克2017 certificate 

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" 上 a line by itself

-----BEGIN CERTIFICATE-----
MIIG8zCCBdugAwIBAgIQbquKQO1HxIm1UJWBjeuHSTANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE3MDIyMTAwMDAwMFoX
DTIwMDMwODIzNTk1OVowgYMxCzAJBguVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlv
MRAwDgYDVQQHDAdNYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IHN5c3RlbXMgY2FuYWRhIGluYzEfMB0GA1UEAwwWMTZ0aC1NYXJraGFtLmdpLWRl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+MUKmNjGIRAdQ0
WqLngHMMmGZONjt4Wj3n7ox1nfo0ja015rPNRh2Xbux51bndTmBvAxXCUunKYuIx
Ec9JO4Lctm4fcfr3MCFRZEBwvzMZCpmaW0QBN2TPbWjNrp0Ftx6awtBC0qRQUNQ4
VzhojMRL9YV5dX1zjyk0/RSCVezw7J0T5H4aQQOCJ9qXPtZcATwUaCpj4GQ73VAY
ttjBkkmykU0lJVJisSECG8afnTjVCRwhpiGJJJkUBXpBzXZ/3LQAs8SJFloaYv5j
nHx1OJl05xCp6E9rBfvW1Q1NUFHoOyMWxQN+r3ua4KAg0wv5eGL9ElRou/oJ0QOh
HS4odvUCAwEAAaOCA2UwggNhMCEGA1UdEQQaMBiCFjE2dGgtTWFya2hhbS5naS1k
ZS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6g
HIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwYQYDVR0gBFowWDBWBgZngQwB
AgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYB
BQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy9Xr0Qxjv
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNv
bTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQwggH2Bgor
BgEEAdZ5AgQCBIIB5gSCAeIB4AB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0R
xM227L7MAAABWmEiAokAAAQDAEcwtQIgIHyZL332dKs+vnxZ2UCiDLQAjYLyFexL
MBF4ugX5fiICIQD3tlZugt44sbvGUh+OZXF+C6k+pjnyuhZ19JfUvWxQUwB2AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWmEiAr8AAAQDAEcwRQIg
CN84AlcvYIRFy8iA4pczG5muCvODSJg49UfeH7UvF/kCIQCaSZlSruK7Y87QFc5Q
eELhy0NsW35rj2laNAIvN3fEHgB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE
e4l6qP3LAAABWmEiAtkAAAQDAEcwRQIgG/pqEdK86FSP809U5kGuD6lzEOmgme2H
W1hRxAXX0uECIQCHd1oFD/N8cAOPeCMRnJnt2SovuQHDQMZGd7EuIGTkFQB2ALx4
4d/F9jxoRkkzTaEPoV8JeWkgCcCBtPP2kX8+2bilAAABWmEiA4oAAAQDAEcwRQIg
OqU6BOqzBdIhIWSgg9wGW9pmn7CX3luyA4UliziIhZ8CIQClAB69xOCJC+yMMMut
G/u9glb0BKKj1S1uz6nPk3AALTANBgkqhkiG9w0BAQsFAAOCAQEAjN+BkspnG52g
LJIyRokoO+ftoSHcj1AqVPUZ/eo0qC8MZcbbJv3e9UAN76nca3+TLrO5D8qNRAjT
6yn5FJANr/9YQg9kodmJl0b1DZMpWGM6F4HWFJragIbcSinXYCbNrYP28NNatmXw
ASNXEdHhXIN1TBGSm2TwW8uIwzA/EyjdEnz1u4R8ktnz8Xt2UGohNJARnDCas9pz
uvmBJ8uq00B6rbtmsoRib9xaRjFMsRDAx3U6Bk2N3LYNNnipdiqI9DCfFQEo6+9S
KLPIQ6nHio3qwfTRwD6jY0ZHHeszl+4cHkXUHw8D46NQ3au72acKwZs1GoSLy2cI
6RgBgcZfYg==
-----END CERTIFICATE-----

% Router Certificate successfully imported

16th-M(config)#


校验:

16th-M#show crypto pki certificates 
Certificate
Status: Available
Certificate Serial Number (hex): 6EAB8A40ED47C489B55095818DEB8749
Certificate Usage: General Purpose
Issuer:
cn=Symantec Class 3 Secure Server CA - G4
ou=Symantec Trust 网络
o=Symantec Corporation
c=US
Subject:
Name: 16th-M.test.com
cn=16th-M.test.com
o=Giesecke & Devrient systems canada inc
l=Markham
st=Ontario
c=CA
CRL Distribution Points:
http://ss.symcb.com/ss.crl
Validity Date:
start date: 19:00:00 EST Feb 20 2017
end date: 19:59:59 EDT Mar 8 2020
Associated Trustpoints: 赛门铁克2017
Storage: nvram:SymantecClas#8749.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 513FB9743870B73440418D30930699FF
Certificate Usage: Signature
Issuer:
cn=VeriSign Class 3 Public Primary Certification Authority - G5
ou=(c) 2006 VeriSign
Inc. - For authorized use 上 ly
ou=VeriSign Trust 网络
o=VeriSign
Inc.
c=US
Subject:
cn=Symantec Class 3 Secure Server CA - G4
ou=Symantec Trust 网络
o=Symantec Corporation
c=US
CRL Distribution Points:
http://s1.symcb.com/pca3-g5.crl
Validity Date:
start date: 20:00:00 EDT Oct 30 2013
end date: 19:59:59 EDT Oct 30 2023
Associated Trustpoints: 赛门铁克2017
Storage: nvram:VeriSignClas#99FFCA.cer

Certificate
Status: Available
Certificate Serial Number (hex): 04681FB41D03897F3C61766E1DD5C42F
Certificate Usage: General Purpose
Issuer:
cn=VeriSign Class 3 Secure Server CA - G3
ou=Terms of use at //www.verisign.com/rpa (c)10
ou=VeriSign Trust 网络
o=VeriSign
Inc.
c=US
Subject:
Name: 16th-M.test.com
cn=16th-M.test.com
ou=Terms of use at www.verisign.com/rpa (c)05
o=Giesecke & Devrient systems canada inc
l=Markham
st=Ontario
c=CA
CRL Distribution Points:
http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
Validity Date:
start date: 20:00:00 EDT Mar 9 2014
end date: 18:59:59 EST Mar 9 2017
Associated Trustpoints: Verisign2014
Storage: nvram:VeriSignClas#C42F.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 6ECC7AA5A7032009B8CEBCF4E952D491
Certificate Usage: Signature
Issuer:
cn=VeriSign Class 3 Public Primary Certification Authority - G5
ou=(c) 2006 VeriSign
Inc. - For authorized use 上 ly
ou=VeriSign Trust 网络
o=VeriSign
Inc.
c=US
Subject:
cn=VeriSign Class 3 Secure Server CA - G3
ou=Terms of use at //www.verisign.com/rpa (c)10
ou=VeriSign Trust 网络
o=VeriSign
Inc.
c=US
CRL Distribution Points:
http://crl.verisign.com/pca3-g5.crl
Validity Date:
start date: 19:00:00 EST Feb 7 2010
end date: 18:59:59 EST Feb 7 2020
Associated Trustpoints: Verisign2014
Storage: nvram:VeriSignClas#D491CA.cer

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2633522734
Subject:
Name: IOS-Self-Signed-Certificate-2633522734
cn=IOS-Self-Signed-Certificate-2633522734
Validity Date:
start date: 09:55:58 EST Mar 9 2013
end date: 19:00:00 EST Dec 31 2019
Associated Trustpoints: TP-self-signed-2633522734
Storage: nvram:IOS-Self-Sig#1.cer


16th-M#


参考:

通过 约翰

关于“从赛门铁克更新Cisco IOS IPSec 虚拟专用网 证书”的一种思考

发表评论