First of we should have a CA set up in Linux, if not, you can refer to this article.
Now back on the router we want to run WebVPN on. What we want to do now is to create a trustpoint that we can enroll our certificates with. A trustpoint represents a CA, and the method we enroll our certificate is specified in there. But before we do that, we'll need to generate a keypair, which every RSA certificate needs:
crypto key gen rsa exportable label RSAKEYPAIR
Now that we have our RSA keypair, we can now create the trustpoint:
crypto pki trustpoint CA
rsakeypair RSAKEYPAIR
Now we'll specify our enrollment method, which is copying and pasting through the terminal. Now that's really low-tech. To do this, we'll specify:
enrollment terminal pem
Finally we'll specify the common name of the host. This common name needs to be the exact FQDN of the host. If the host does not have a domain name associated with it, you will need to specify the exact IP address it is going to use:
subject CN=1.1.1.2
Now you can actually specify a longer subject String with OU and all the extra stuff, but this will suffice for a very basic certificate. Now it's time to enroll the certificate:
crypto pki enroll CA
It will ask you if you want to display it on the terminal. Select YES and you should have something similar to this on your screen:
-----BEGIN CERTIFICATE REQUEST----- MIIBOjCB5QIBADBfMRAwDgYDVQQDEwcxLjEuMS4yMUswEgYDVQQFEwtYWFhYWFhY WFhYWDAUBgkqhkiG9w0BCQgTBzEuMS4xLjIwHwYJKoZIhvcNAQkCFhJSMi5zeXJh eGl1cy5hdGguY3gwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA8wJEMyVp/C84Y9br jSA9DK0Bml8ya1xi6JNygxGPqsVC17AWVKHSAzFOUTnLj6E5OGsTq0Ud5mZ/ZkUf V4E+QwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJ KoZIhvcNAQEEBQADQQAe6gABr8oUtRftvxpYwHWEeCArCMhfWxO/XQDNzyFqP6xk 16bNLzJnF4021L9YS1eyrQnzUtAXj4qr8l/b1XwJ -----END CERTIFICATE REQUEST-----
Now what you do with this information is that you need to copy the entire page from ----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- and paste it into a file. What should you name the file? We'll, you've guessed it, you'll name it newreq.pem and place it into the /etc/ssl/ folder of your CA. Then we'll run the signature command with CA.pl. If you don't know what I'm talking about, you'll again need to refer to this article.
Now you should end up with a newcert.pem. Before we import the certificate, we'll need to import the certificate authority's root certificate. Why do we need to do that? This is because you don't have a button that says "Add Exception" in a Router, so you'll either have to have a CA certificate that you trust, or it's all not going to work at all.
Be sure that the system clock is set correctly! This is crucial as the certificates will be checked for both time and date to see if it's valid. To do this, we'll type:
conf t
clock timezone SGT +8
exit
clock set 19:11:00 July 27 2010
So we'll begin by invoking the command to allow importing of the root CA:
crypto pki authen CA
Next, we'll paste the contents of cacert.pem from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into the prompt. In case you're wondering, cacert.pem is actually found in /etc/ssl/demoCA/.
Now it's finally time to import your certificate. We do it the same way as we import the CA certificate, except that we'll use the command:
crypto pki import CA certificate
Now that you have a certificate, we'll set up our WebVPN but this time with the trust point set to the trustpoint which you imported your certificate into. If you want to set up WebVPN, you can follow along this article.
In the future I'll go into topics like using automatic enrollment and so on, so stay tuned! Before I go into those, it's time to set up OpenVPN on a WRT54G and connect using a Windows host!
No comments :
Post a Comment