< Home

Example for Configuring Automatic Local Certificate Application Using SCEP

Networking Requirements

On an enterprise network shown in Figure 1, the Switch is located at the edge to function as the egress gateway and a CA server is located on the public network. The network administrator manually applies for a local certificate from the CA server in online mode.

The network administrator wants to use a simple and fast method to apply for a local certificate, and the certificate can be automatically imported to the memory. In addition, the certificate needs to be automatically updated before expiration. The automatic certificate application through SCEP can be configured to meet these requirements.

Figure 1 Automatic local certificate application using SCEP

This example provides only the configurations on Switch. For the configurations on the CA server, see the CA server product manual. In this example, the CA server runs Windows Server 2008 with the built-in Certification Services and with the SCEP plugin installed.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces and static routes to the CA server so that the Switch and CA server can communicate with each other.
  2. Create an RSA key pair so that the local certificate application request contains the public key.
  3. Configure the PKI entity and related information to identify the PKI entity.
  4. Configure certificate application through SCEP and automatic certificate update, automatic certificate installation, and automatic certificate update.

Data Preparation

Obtain the fingerprint and challenge password from the CA server in offline mode. In this example, the digital fingerprint is e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0 and challenge password is 6AE73F21E6D3571D.

For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

Procedure

  1. Assign IP addresses to interfaces and configure static routes to the CA server.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.2.0.2 255.255.255.0
[Switch-Vlanif100] quit
[Switch] interface vlanif 200
[Switch-Vlanif200] ip address 10.1.0.2 255.255.255.0
[Switch-Vlanif200] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] ip route-static 10.3.0.0 255.255.255.0 10.2.0.1

  2. Create an RSA key pair.

    # Create a 2048-bit RSA key pair named rsa_scep and allow it to be exported.

    [Switch] pki rsa local-key-pair create rsa_scep exportable
 Info: The name of the new key-pair will be: rsa_scep 
 The size of the public key ranges from 2048 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...       ..................+++
.......................+++

  3. Configure a PKI entity to identify a certificate applicant.

    # Configure the PKI entity user01.

    [Switch] pki entity user01
[Switch-pki-entity-user01] common-name hello
[Switch-pki-entity-user01] country cn
[Switch-pki-entity-user01] email user@test.abc.com
[Switch-pki-entity-user01] fqdn test.abc.com
[Switch-pki-entity-user01] ip-address 10.2.0.2
[Switch-pki-entity-user01] state jiangsu
[Switch-pki-entity-user01] organization huawei
[Switch-pki-entity-user01] organization-unit info
[Switch-pki-entity-user01] quit

  4. Apply for and update the certificate using SCEP.

    [Switch] pki realm abc
[Switch-pki-realm-abc] ca id ca_root
[Switch-pki-realm-abc] entity user01
[Switch-pki-realm-abc] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
[Switch-pki-realm-abc] enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
[Switch-pki-realm-abc] rsa local-key-pair rsa_scep
[Switch-pki-realm-abc] enrollment-request signature message-digest-method sha-384
[Switch-pki-realm-abc] password cipher 6AE73F21E6D3571D

  5. Enable automatic certificate enrollment and configure the certificate to be updated when 60% of the validity period is passed and the RSA key pair is updated together with the certificate.

    [Switch-pki-realm-abc] auto-enroll 60 regenerate 2048
[Switch-pki-realm-abc] quit

    Before obtaining and installing a local certificate, the device obtains and installs a CA certificate first. The CA and local certificates are named abc_ca.cer and abc_local.cer.

  6. Verify the configuration.
    1. After a local certificate is obtained and imported to memory, run the display pki certificate local command to view content of the certificate.

      [Switch] display  pki certificate local realm abc
 The x509 object type is certificate:                                           
Certificate:                                                                    
    Data:                                                                       
        Version: 3 (0x2)                                                        
        Serial Number:                                                          
            48:65:aa:2a:00:00:00:00:3f:c6                                       
    Signature Algorithm: sha1WithRSAEncryption                                  
        Issuer: CN=ca_root                                                      
        Validity                                                                
            Not Before: Dec 21 11:46:10 2015 GMT                                
            Not After : Dec 21 11:56:10 2016 GMT                                
        Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello                  
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
                Public-Key: (2048 bit)                                          
                Modulus:                                                        
                    00:94:6f:49:bd:6a:f3:d5:07:ee:10:ee:4f:d3:06:               
                    80:59:15:cb:a8:0a:b2:ba:c2:db:52:ec:e9:d1:a7:               
                    72:de:ac:35:df:bb:e0:72:62:08:3e:c5:54:c1:ba:               
                    4a:bb:1b:a9:d9:dc:e4:b6:4d:ca:b3:54:90:b6:8e:               
                    15:a3:6e:2d:b2:9e:9e:7a:33:b0:56:3f:ec:bc:67:               
                    1c:4c:59:c6:67:0f:a7:03:52:44:8c:53:72:42:bd:               
                    6e:0c:90:5b:88:9b:2c:95:f7:b8:89:d1:c2:37:3e:               
                    93:78:fa:cb:2c:20:22:5f:e5:9c:61:23:7b:c0:e9:               
                    fe:b7:e6:9c:a1:49:0b:99:ef:16:23:e9:44:40:6d:               
                    94:79:20:58:d7:e1:51:a1:a6:4b:67:44:f7:07:71:               
                    54:93:4e:32:ff:98:b4:2b:fa:5d:b2:3c:5b:df:3e:               
                    23:b2:8a:1a:75:7e:8f:82:58:66:be:b3:3c:4a:1c:               
                    2c:64:d0:3f:47:13:d0:5a:29:94:e2:97:dc:f2:d1:               
                    06:c9:7e:54:b3:42:2e:15:b8:40:f3:94:d3:76:a1:               
                    91:66:dd:40:29:c3:69:70:6d:5a:b7:6b:91:87:e8:               
                    bb:cb:a5:7e:ec:a5:31:11:f3:04:ab:1a:ef:10:e6:               
                    f1:bd:d9:76:42:6c:2e:bf:d9:91:39:1d:08:d7:b4:               
                    18:53                                                       
                Exponent: 65537 (0x10001)                                       
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment   
            X509v3 Subject Alternative Name:                                    
                IP Address:10.2.0.2, DNS:test.abc.com, email:user@test.abc.com  
            X509v3 Subject Key Identifier:                                      
                15:D1:F6:24:EB:6B:C0:26:19:58:88:91:8B:60:42:CE:BA:D5:4D:F3     
            X509v3 Authority Key Identifier:                                    
                keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
5                                                                               
                                                                                
            X509v3 CRL Distribution Points:                                     
                                                                                
                Full Name:                                                      
                  URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
t.crl                                                                           
                  URI:http://10.3.0.1:8080/certenroll/ca_root.crl           
                                                                                
            Authority Information Access:                                       
                CA Issuers - URI:http://vasp-e6000-127.china.huawei.com/CertEnro
ll/vasp-e6000-127.china.huawei.com_ca_root.crt                                  
                OCSP - URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\v
asp-e6000-127.china.huawei.com_ca_root.crt                                      
                                                                               
            1.3.6.1.4.1.311.20.2:                                               
                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
            X509v3 Basic Constraints: critical                                  
                CA:FALSE                                                        
            X509v3 Extended Key Usage:                                          
                1.3.6.1.5.5.8.2.2   
    Signature Algorithm: sha1WithRSAEncryption                                  
         d2:be:a8:52:6b:03:ce:89:f1:5b:49:d4:eb:2b:9f:fd:59:17:                 
         d4:3c:f1:db:4f:1b:d1:12:ac:bf:ae:59:b4:13:1b:8a:20:d0:                 
         52:6a:f8:a6:03:a6:72:06:41:d2:a7:7d:3f:51:64:9b:84:64:                 
         cf:ec:4c:23:0a:f1:57:41:53:eb:f6:3a:44:92:f3:ec:bd:09:                 
         75:db:02:42:ab:89:fa:c4:cd:cb:09:bf:83:1d:de:d5:4b:68:                 
         8a:a6:5f:7a:e8:b3:34:d3:e8:ec:24:37:2b:bd:3d:09:ed:88:                 
         d8:ed:a7:f8:66:aa:6f:b0:fe:44:92:d4:c9:29:21:1c:b3:7a:                 
         65:51:32:50:5a:90:fa:ae:e1:19:5f:c8:63:8d:a8:e7:c6:89:                 
         2e:6d:c8:5b:2c:0c:cd:41:48:bd:79:74:0e:b8:2f:48:69:df:                 
         02:89:bb:b3:59:91:7f:6b:46:29:7e:22:05:8c:bb:6a:7e:f3:                 
         11:5a:5f:fb:65:51:7d:35:ff:49:9e:ec:d1:2d:7e:73:e5:99:                 
         c6:41:84:0c:50:11:ed:97:ed:15:de:11:22:73:a1:78:11:2e:                 
         34:e6:f5:de:66:0c:ba:d5:32:af:b8:54:26:4f:5b:9e:89:89:                 
         2a:3f:b8:96:27:00:c3:08:3a:e9:e8:a6:ce:4b:5a:e3:97:9e:                 
         6b:dd:f0:72                                                            
                                                                                
Pki realm name: abc                                                             
Certificate file name: abc_local.cer                                            
Certificate peer name: -

    2. After a CA certificate is obtained and imported to memory, run the display pki certificate ca command to view content of the certificate.

      [Switch] display  pki certificate ca realm abc
 The x509 object type is certificate:                                           
Certificate:                                                                    
    Data:                                                                       
        Version: 3 (0x2)                                                        
        Serial Number:                                                          
            0c:f0:1a:f3:67:21:44:9a:4a:eb:ec:63:75:5d:d7:5f                     
    Signature Algorithm: sha1WithRSAEncryption                                  
        Issuer: CN=ca_root                                                      
        Validity                                                                
            Not Before: Jun  4 14:58:17 2015 GMT                                
            Not After : Jun  4 15:07:10 2020 GMT                                
        Subject: CN=ca_root                                                     
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
                Public-Key: (2048 bit)                                          
                Modulus:                                                        
                    00:d9:5f:2a:93:cb:66:18:59:8c:26:80:db:cd:73:               
                    d5:68:92:1b:04:9d:cf:33:a2:73:64:3e:5f:fe:1a:               
                    53:78:0e:3d:e1:99:14:aa:86:9b:c3:b8:33:ab:bb:               
                    76:e9:82:f6:8f:05:cf:f6:83:8e:76:ca:ff:7d:f1:               
                    bc:22:74:5e:8f:4c:22:05:78:d5:d6:48:8d:82:a7:               
                    5d:e1:4c:a4:a9:98:ec:26:a1:21:07:42:e4:32:43:               
                    ff:b6:a4:bd:5e:4d:df:8d:02:49:5d:aa:cc:62:6c:               
                    34:ab:14:b0:f1:58:4a:40:20:ce:be:a5:7b:77:ce:               
                    a4:1d:52:14:11:fe:2a:d0:ac:ac:16:95:78:34:34:               
                    21:36:f2:c7:66:2a:14:31:28:dc:7f:7e:10:12:e5:               
                    6b:29:9a:e8:fb:73:b1:62:aa:7e:bd:05:e5:c6:78:               
                    6d:3c:08:4c:9c:3f:3b:e0:e9:f2:fd:cb:9a:d1:b7:               
                    de:1e:84:f4:4a:7d:e2:ac:08:15:09:cb:ee:82:4b:               
                    6b:bd:c6:68:da:7e:c8:29:78:13:26:e0:3c:6c:72:               
                    39:c5:f8:ad:99:e4:c3:dd:16:b5:2d:7f:17:e4:fd:               
                    e4:51:7a:e6:86:f0:e7:82:2f:55:d1:6f:08:cb:de:               
                    84:da:ce:ef:b3:b1:d6:b3:c0:56:50:d5:76:4d:c7:               
                    fb:75                                                       
                Exponent: 65537 (0x10001)                                       
        X509v3 extensions:                                                      
            1.3.6.1.4.1.311.20.2:                                               
                ...C.A                                                          
            X509v3 Key Usage: critical                                          
                Digital Signature, Certificate Sign, CRL Sign                   
            X509v3 Basic Constraints: critical                                  
                CA:TRUE                                                         
            X509v3 Subject Key Identifier:                                      
                B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C5     
            X509v3 CRL Distribution Points:                                     
                                                                                
                Full Name:                                                      
                  URI:http://vasp-e6000-127.china.huawei.com/CertEnroll/ca_root.
crl                                                                             
                  URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
t.crl                                                                           
                                                                                
            1.3.6.1.4.1.311.21.1:                                               
                ...                                                             
    Signature Algorithm: sha1WithRSAEncryption                                  
         52:21:46:b8:67:c8:c3:4a:e7:f8:cd:e1:02:d4:24:a7:ce:50:                 
         be:33:af:8a:49:47:67:43:f9:7f:79:88:9c:99:f5:87:c9:ff:                 
         08:0f:f3:3b:de:f9:19:48:e5:43:0e:73:c7:0f:ef:96:ef:5a:                 
         5f:44:76:02:43:83:95:c4:4e:06:5e:11:27:69:65:97:90:4f:                 
         04:4a:1e:12:37:30:95:24:75:c6:a4:73:ee:9d:c2:de:ea:e9:                 
         05:c0:a4:fb:39:ec:5c:13:29:69:78:33:ed:d0:18:37:6e:99:                 
         bc:45:0e:a3:95:e9:2c:d8:50:fd:ca:c2:b3:5a:d8:45:82:6e:                 
         ec:cc:12:a2:35:f2:43:a5:ca:48:61:93:b9:6e:fe:7c:ac:41:                 
         bf:88:70:57:fc:bb:66:29:ae:73:9c:95:b9:bb:1d:16:f7:b4:                 
         6a:da:03:df:56:cf:c7:c7:8c:a9:19:23:61:5b:66:22:6f:7e:                 
         1d:26:92:69:53:c8:c6:0e:b3:00:ff:54:77:5e:8a:b5:07:54:                 
         fd:18:39:0a:03:ac:1d:9f:1f:a1:eb:b9:f8:0d:21:25:36:d5:                 
         06:de:33:fa:7b:c8:e9:60:f3:76:83:bf:63:c6:dc:c1:2c:e4:                 
         58:b9:cb:48:15:d2:a8:fa:42:72:15:43:ef:55:63:39:58:77:                 
         e8:ae:0f:34                                                            
                                                                                
Pki realm name: abc                                                             
Certificate file name: abc_ca.cer                                               
Certificate peer name: -

    3. When 60% of the certificate validity period has elapsed, the device sends a certificate update request to the SCEP server.

      The regenerate parameter has been specified for auto-enroll, so the device generates a new RSA key pair to apply for a new certificate.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100 200
#
interface Vlanif100                                                             
 ip address 10.2.0.2 255.255.255.0
# 
interface Vlanif200                                                             
 ip address 10.1.0.2 255.255.255.0
# 
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 200 
#
ip route-static 10.3.0.0 255.255.255.0 10.2.0.1
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
 entity user01                                                                  
 fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0
 rsa local-key-pair rsa_scep                                                    
 password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#                               
 auto-enroll 60 regenerate 
 enrollment-request signature message-digest-method sha-384
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
 fqdn test.abc.com
 ip-address 10.2.0.2
 email user@test.abc.com
#
return
Parent Topic: Configuration Examples for PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >