< Home

CLI: Example for Configuring Local Certificate Application Using SCEP

Network Requirements

On an enterprise network shown in Figure 1, a firewall is located at the edge to function as the egress gateway. The FW uses SCEP to apply for a local certificate from the CA server located on the public network. The local certificate will be automatically downloaded to the device storage.

Figure 1 Local certificate application using SCEP

This example provides only the configurations on FW. For the configurations on the CA server, see the CA server product manual. In this example, the CA server runs Windows Server 2008 with the built-in Certification Services and with the SCEP plug-in installed.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Assign IP addresses to interfaces and static routes to the CA server so that the FW and CA server can communicate with each other.
  2. Add interfaces to security zones and configure the inter-zone security policy.
  3. Create an RSA key pair so that the local certificate application request contains the public key.
  4. Configure the PKI entity and related information to identify the PKI entity.
  5. Configure certificate application and automatic update using SCEP so that the device automatically downloads CA and local certificates.
  6. Install the CA and local certificates to make the certificates effective. That is, the device can use the certificates to protect communication data.

Data Preparation

Obtain the fingerprint and challenge password from the CA server in offline mode.

For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

Procedure

  1. Assign IP addresses to interfaces and configure static routes to the CA server.

    <sysname> system-view
[sysname] sysname FW
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 10.2.0.2 255.255.255.0
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.1.0.2 255.255.255.0
[FW-GigabitEthernet0/0/2] quit
[FW] ip route-static 10.3.0.0 255.255.255.0 10.2.0.1

  2. Add interfaces to security zones and configure the inter-zone security policy.

    [FW] firewall zone trust
[FW-zone-trust] set priority 85
[FW-zone-trust] add interface GigabitEthernet 0/0/2
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] set priority 5
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

  3. Create an RSA key pair.

    # Create a 2048-bit RSA key pair named rsa_scep and allow it to be exported.

    [FW] pki rsa local-key-pair create rsa_scep exportable
 Info: The name of the new key-pair will be: rsa_scep                           
 The size of the public key ranges from 2048 to 4096.                            
 Input the bits in the modules:2048                                             
 Generating key-pairs...                                                        
...........+++                                                                  
...........+++

  4. Configure a PKI entity to identify the certificate applicant.

    # Configure the PKI entity user01.

    [FW] pki entity user01
[FW-pki-entity-user01] common-name hello
[FW-pki-entity-user01] country cn
[FW-pki-entity-user01] email user@test.abc.com
[FW-pki-entity-user01] fqdn test.abc.com
[FW-pki-entity-user01] ip-address 10.2.0.2
[FW-pki-entity-user01] state jiangsu
[FW-pki-entity-user01] organization huawei
[FW-pki-entity-user01] organization-unit info
[FW-pki-entity-user01] quit

  5. Apply for and update the certificate using SCEP.

    [FW] pki realm abc
[FW-pki-realm-abc] ca id ca_root
[FW-pki-realm-abc] entity user01
# Configure the fingerprint of the CA certificate, for example, D5A13C2C686628B273652E88A85EFDAF1BED600D.
[FW-pki-realm-abc] fingerprint sha1 D5A13C2C686628B273652E88A85EFDAF1BED600D
# Configure the URL for certificate enrollment and configure the PKI entity to apply for a certificate from the CA.
[FW-pki-realm-abc] enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
# Specify the RSA key pair used to apply for certificate.
[FW-pki-realm-abc] rsa local-key-pair rsa_scep
# Configure the digest algorithm used in signature certificate registration request messages.
[FW-pki-realm-abc] enrollment-request signature message-digest-method sha1
# Set the challenge password, for example, 6AE73F21E6D3571D.
[FW-pki-realm-abc] password cipher 6AE73F21E6D3571D
[FW-pki-realm-abc] quit
# Obtain the CA certificate.
[FW] pki get-certificate ca realm abc

    The CA certificates are named abc_ca.cer and stored in the CF card.

    # Import the CA certificate to memory.

    [FW] pki import-certificate ca realm abc pem filename abc_ca.cer 
 The CA's Subject is /CN=ca_root
 The CA's fingerprint is:                                                       
   MD5  fingerprint:6DF2 CC66 6E6A 09A0 F590 F63B 80BA 017B                     
   SHA1 fingerprint:D5A1 3C2C 6866 28B2 7365 2E88 A85E FDAF 1BED 600D           
 Is the fingerprint correct?(Y/N):y
 Info: Succeeded in importing file.

    # Configures manual certificate enrollment.

    [FW] pki enroll-certificate realm abc

    The local certificates are named abc_local.cer and stored in the CF card.

    # Import the local certificate to memory.

    [FW] pki import-certificate local realm abc pem filename abc_local.cer  
 Info: Succeeded in importing file.

    # Enable automatic certificate enrollment and update: the PKI entity updates the certificate and RSA key pair when 60% of the certificate validity period has passed. 

    [FW] pki realm abc
[FW-pki-realm-abc] auto-enroll 60 regenerate 2048
[FW-pki-realm-abc] quit

  6. Verify the configuration.
    1. After a local certificate is obtained and imported to memory, run the display pki certificate local command to view content of the certificate.

      [FW] display pki certificate local
 The  x509_obj type is Cert:
Certificate:                                                                    
    Data:                                                                       
        Version: 3 (0x2)                                                        
        Serial Number:                                                          
            13:39:97:41:00:00:00:00:01:22                                       
        Signature Algorithm: sha1WithRSAEncryption                              
        Issuer: CN=ca_root
        Validity                                                                
            Not Before: Jun 11 08:20:15 2012 GMT                                
            Not After : Jun 11 08:20:15 2014 GMT                                
        Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
                Public-Key: (2048 bit)                                          
                Modulus:                                                        
                    00:dd:5d:1a:33:7a:14:7b:d2:66:89:a6:8d:69:27:               
                    3b:84:25:09:dd:92:cb:86:2f:b8:39:e3:b4:03:fe:               
                    b8:71:97:cc:2c:a2:05:cb:dc:da:d3:8e:53:f7:9e:               
                    ca:77:0f:3a:c8:d1:5d:37:1e:bb:7f:d9:86:21:70:               
                    92:60:46:46:d7:55:c2:ca:9f:06:5e:8b:40:6e:a2:               
                    6a:46:97:9a:42:8d:1b:e8:75:61:0d:6e:10:fa:f5:               
                    f1:d0:06:0e:59:64:d1:b7:a9:cf:56:86:f9:5a:8e:               
                    aa:97:17:c6:33:62:d0:53:55:a5:ea:9f:62:fb:38:               
                    9d:a2:0b:e6:c7:1c:84:d3:04:e1:e9:e9:0e:1a:50:               
                    6b:e0:9f:4e:e6:ec:b5:36:05:b2:00:4f:35:81:1b:               
                    c7:f9:08:aa:b1:4b:95:67:5b:e5:fe:a5:cc:0f:af:               
                    a1:f6:36:b5:8d:49:b4:90:f9:ee:ad:7a:e9:9f:15:               
                    de:3b:9d:e4:76:ae:3b:80:77:33:55:cb:3f:58:9f:               
                    69:a3:3c:0e:0a:0d:a8:8c:50:cd:50:a2:0d:3f:e3:               
                    a2:ab:f2:e5:24:35:ad:45:f2:ce:8b:27:ae:02:b2:               
                    8f:92:83:3d:f1:53:b8:92:d7:05:04:be:40:20:82:               
                    df:b7:fb:1a:5b:70:6c:73:5d:4c:d9:73:42:ca:ed:               
                    62:b9                                                       
                Exponent: 65537 (0x10001)                                       
        X509v3 extensions:                                                      
            X509v3 Subject Key Identifier:                                      
                D5:BF:F5:A8:1E:25:F2:E2:6E:EB:37:8B:B4:9B:2B:8F:84:35:ED:1E     
            X509v3 Authority Key Identifier:                                    
                keyid:13:58:F5:E6:5E:2B:17:EB:79:F5:79:A9:EA:A3:BE:4C:ED:F8:6B:1
B                                                                               
                                                                                
            X509v3 CRL Distribution Points:                                     
                                                                                
                Full Name:                                                      
                  URI:ldap:///CN=com,CN=WIN-3N292O3I7OS,CN=CDP,CN=Public%20Key%2
0Services,CN=Services,CN=Configuration,DC=huasay,DC=pki?certificateRevocationLis
t?base?objectClass=cRLDistributionPoint                                         
                  URI:http://win-3n292o3i7os.huasay.pki/CertEnroll/com.crl      
                  URI:file://WIN-3N292O3I7OS.huasay.pki/CertEnroll/com.crl      
                                                                                
            Authority Information Access:                                       
                CA Issuers - URI:ldap:///CN=com,CN=AIA,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=huasay,DC=pki?cACertificate?base?objectClass=c
ertificationAuthority                                                           
                OCSP - URI:http://win-3n292o3i7os.huasay.pki/CertEnroll/WIN-3N29
2O3I7OS.huasay.pki_com.crt                                                      
                CA Issuers - URI:file://WIN-3N292O3I7OS.huasay.pki/CertEnroll/WI
N-3N292O3I7OS.huasay.pki_com.crt                                                
                OCSP - URI:http://win-3n292o3i7os.huasay.pki/ocsp               
                                                                                
            1.3.6.1.4.1.311.20.2:                                               
                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
            X509v3 Key Usage: critical                                          
                Digital Signature, Key Encipherment                             
            X509v3 Extended Key Usage:                                          
                1.3.6.1.5.5.8.2.2                                               
    Signature Algorithm: sha1WithRSAEncryption                                  
        12:4a:f1:78:d8:0d:be:2e:a2:7f:c7:10:f3:2e:40:86:f6:69:                  
        91:d9:8b:da:3e:09:76:8b:c7:cf:cc:52:ab:38:8f:7e:88:97:                  
        f5:67:8a:f9:44:06:4d:f2:34:e2:bc:38:47:23:13:22:f4:05:                  
        52:40:cd:69:3e:ab:16:fd:bd:26:20:58:aa:0a:70:c1:3d:ce:                  
        0c:32:bf:87:43:1e:a8:61:af:43:70:2e:ab:21:84:a3:dd:54:                  
        24:b3:9e:25:c5:e5:cc:5e:e6:ac:06:c3:be:6e:51:1f:e8:75:                  
        59:11:bb:98:54:24:d3:17:d3:6f:ba:29:21:9a:74:a4:91:01:                  
        2a:5b:3b:c4:8e:26:00:9c:49:5e:b4:e0:9c:17:60:f9:89:cf:                  
        8e:17:d2:64:61:7c:73:f1:52:3a:d0:f2:41:92:20:ed:a5:32:                  
        f7:4c:2d:fe:f1:c5:18:bd:70:15:47:3d:e2:c9:a9:20:7b:ca:                  
        ff:93:1b:46:eb:9f:d4:91:8d:36:1c:fd:c4:ff:37:d1:8c:7a:                  
        33:97:10:2d:71:39:f7:fe:38:a5:dd:3d:85:39:7b:93:01:e4:                  
        16:2c:59:e2:ca:49:f8:ab:ec:9f:d6:67:e7:50:78:c8:c5:59:                  
        8c:88:78:ff:5a:66:17:04:37:a0:b1:97:3a:c3:f8:89:25:16:                  
        ec:e0:84:68                                                             
  
Pki realm name: abc                                                             
Certificate file name: abc_local.cer                                            
Certificate peer name: -

    2. After a CA certificate is obtained and imported to memory, run the display pki certificate ca command to view content of the certificate.

      [FW] display pki certificate ca
 The x509 object  type is certificate:                                          
Certificate:                                                                    
    Data:                                                                       
        Version: 3 (0x2)                                                        
        Serial Number:                                                          
            27:41:06:ae:cd:76:4b:80:44:50:f9:64:75:dd:19:da                     
        Signature Algorithm: sha1WithRSAEncryption                              
        Issuer: CN=ca_root                                        
        Validity                                                                
            Not Before: Feb 28 08:46:58 2011 GMT                                
            Not After : Feb 28 08:56:58 2016 GMT                                
        Subject: C=CN, ST=jiangsu, O=huawei, OU=info, CN=hello   
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
                Public-Key: (2048 bit)                                          
                Modulus:                                                        
                    00:dd:af:61:3e:a2:03:35:87:b1:46:eb:12:39:58:               
                    87:45:a9:b9:d6:a9:ee:c7:3f:b5:05:88:8c:07:35:               
                    00:b4:47:07:63:5b:40:58:05:da:d3:2d:f6:0d:88:               
                    9b:74:0e:a9:6c:a1:c9:ce:1e:30:05:84:ae:34:a9:               
                    3b:83:a3:a7:08:f0:73:d0:02:cf:d2:eb:bd:25:12:               
                    b0:38:ce:4e:db:15:e5:1b:b9:6e:f8:4f:90:e7:30:               
                    ef:9b:18:ee:22:f6:44:a9:b1:75:45:16:6d:d5:b2:               
                    d1:73:03:a1:ec:d4:7b:b7:8c:af:03:b1:16:b0:fa:               
                    f0:89:30:65:ac:51:52:2a:42:e9:dd:1c:0c:40:15:               
                    05:17:12:4c:f1:df:76:73:d1:4e:a0:a7:64:e6:f3:               
                    33:2f:1f:f7:88:09:92:61:fc:90:6c:5d:fa:02:77:               
                    0f:e9:58:f2:9e:de:ae:55:b0:71:72:91:47:ba:7c:               
                    a9:ad:2a:1f:a2:b2:0f:02:32:ff:9e:ba:c6:65:f4:               
                    23:3a:b5:f8:93:89:fa:a0:4f:36:5a:32:a6:bc:cf:               
                    09:21:e7:40:2f:97:3d:8f:e5:ad:27:b7:a5:a8:cf:               
                    43:a1:d6:25:1e:34:69:f1:a2:42:59:a0:91:13:7a:               
                    ee:22:0d:c3:b0:34:d7:da:86:7c:2a:d5:97:c3:f2:               
                    82:8d                                                       
                Exponent: 65537 (0x10001)                                       
        X509v3 extensions:                                                      
            X509v3 Key Usage:                                                   
                Digital Signature, Certificate Sign, CRL Sign                   
            X509v3 Basic Constraints: critical                                  
                CA:TRUE                                                         
            X509v3 Subject Key Identifier:                                      
                13:58:F5:E6:5E:2B:17:EB:79:F5:79:A9:EA:A3:BE:4C:ED:F8:6B:1B     
            1.3.6.1.4.1.311.21.1:                                               
                ...                                                             
    Signature Algorithm: sha1WithRSAEncryption                                  
        76:77:2d:04:f7:02:e2:51:fc:51:5a:e8:d8:f4:ed:0b:a4:ab:                  
        36:1f:70:58:76:fa:8e:74:08:1a:34:6e:5f:97:e9:4f:2c:0e:                  
        93:75:3c:8d:9d:20:06:aa:29:6f:12:06:9f:5c:09:4b:32:66:                  
        41:45:d9:9f:56:2a:6b:9c:4a:32:1d:31:79:7d:bf:51:31:31:                  
        27:9a:1d:66:14:31:8f:85:36:b8:5b:98:c9:05:89:72:0c:00:                  
        bb:ae:0b:d9:cd:e9:3d:a2:7c:a7:be:7e:50:3f:90:5a:58:95:                  
        19:e1:07:c5:aa:e8:b6:ed:76:ec:17:2c:a0:8a:6c:35:95:db:                  
        40:aa:b8:dd:70:50:f7:d5:df:3f:21:65:d0:2b:0d:01:83:6e:                  
        7e:1b:76:b8:fb:4c:d1:12:10:0e:ac:05:19:81:f0:ab:bb:86:                  
        56:bb:aa:25:e8:c7:75:0e:8c:06:e5:72:88:49:00:82:1d:2f:                  
        af:af:f0:14:2f:86:46:9e:99:5a:e1:f5:4f:53:d5:18:d9:d4:                  
        d3:e4:bf:3f:ec:31:9a:19:16:3c:e2:0b:3b:76:5c:08:2f:89:                  
        b0:5e:3e:3a:35:7f:56:02:84:e8:37:ff:1f:f0:bf:c1:99:97:                  
        81:c0:01:fd:35:16:eb:49:5d:87:d4:b6:90:74:78:ac:49:27:                  
        2a:75:b5:54                                                             
                                                                                
Pki realm name: abc                                                             
Certificate file name: abc_ca.cer                                               
Certificate peer name: -

    3. When 60% of the certificate validity period has elapsed, the device sends a certificate update request to the SCEP server.

      The regenerate parameter has been specified for auto-enroll, so the device generates a new RSA key pair to apply for a new certificate. The new certificate will replace the certificate files in CF card and memory.

Configuration Files

#
sysname FW
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
 fqdn test.abc.com
 ip-address 10.2.0.2
 email user@test.abc.com
#
pki realm abc
 ca id ca_root                                                                  
 enrollment-url http://10.3.0.1:80/certsrv/mscep/mscep.dll ra
 entity user01                                                                  
 fingerprint sha1 D5A13C2C686628B273652E88A85EFDAF1BED600D
 rsa local-key-pair rsa_scep                                                    
 password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$                               
 auto-enroll 60 regenerate 
 enrollment-request signature message-digest-method sha1
#
interface GigabitEthernet0/0/1
 ip address 10.2.0.2 255.255.255.0
interface GigabitEthernet0/0/2
 ip address 10.1.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
ip route-static 10.3.0.0 255.255.255.0 10.2.0.1
#
return
Parent Topic: Configuration Examples for PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >