在CLI管理的ASA上安裝並續訂證書

簡介

本文檔介紹如何在通過CLI管理的Cisco ASA軟體上請求、安裝、信任和續訂特定型別的證書。

必要條件

需求

思科建議您瞭解以下主題：

• 驗證自適應安全裝置(ASA)具有正確的時鐘時間、日期和時區。進行憑證驗證時，建議使用網路時間通訊協定 (NTP) 伺服器同步化 ASA 的時間。檢查相關資訊以供參考。
• 若要請求使用憑證簽署請求(CSR)的憑證，需要存取受信任的內部或第三方憑證授權單位(CA)。 第三方CA供應商的示例包括（但不限於）Entrust、Geotrust、GoDaddy、Thawte和VeriSign。

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• ASAv 9.18.1
• 建立PKCS12時使用OpenSSL。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路運作中，請確保您瞭解任何指令可能造成的影響。

背景資訊

此文檔解決的證書型別為自簽名證書、第三方證書頒發機構簽名的證書或內部CA(在用命令列介面(CLI)管理的思科自適應安全裝置軟體上)。

受信任的CA安全注意事項

證書身份驗證風險和建議

預設信任點驗證 — 使用行為

安裝受信任的CA證書時，可使crypto ca trustpoint authenticate,用該證書使用證書身份驗證來驗證不同型別的VPN連線。它通過trustpoint命validation-usage令控制。validation-usage型別為：

• ipsec-client:驗證IPsec客戶端連線。
• ssl-client:驗證SSL客戶端連線。
• ssl-server:驗證SSL伺服器證書。

預設情況下，該命令允許驗證ipsec-client和ssl-client。

預設配置風險

• 預設情況下，可以作為受信任身份安裝的任何CA證書可用於使用證書身份驗證對任何隧道組的傳入客戶端身份證書進行身份驗證。
• 如果您不知道該預設設定，則它可能會帶來安全風險。

建議的操作

禁用非預期信任點的驗證使用。如果CA證書不是用於對VPN對等體或使用者進行身份驗證，請禁用該信任點的驗證使用。

組態範例

trustpoint public-root-ca
 no validation-usage

授權風險和建議

預設情況下，受信任的CA證書可用於對連線到任何隧道組的VPN對等體或使用者進行身份驗證。需要設計適當的授權。

建議的操作

使用證書對映和隧道組對映以確保僅授權證書用於特定隧道組。設定預設隧道組對映規則，該規則指向無訪問隧道組，以限制未經授權的訪問。

組態範例

僅以下各項允許證書身份驗證：

• 具有cn=example.com頒發的證書並且在證書主題中具有OU=machines的電腦。
• 使用cn=example.com頒發的證書並在證書主題中具有OU=users的使用者。

預設情況下，具有其他證書的使用者將分配給no_access tunnel-group(多虧有命tunnel-group-map default-group no_access令)。由於使用命令，證書對映規則優先於group-tunnel-group-map enable rulesurl。瞭解group-url無助於繞過證書對映規則。

! Configure group-policy preventing VPN access:

group-policy no_access_gp internal
group-policy no_access_gp attributes
 banner value NO ACCESS GROUP POLICY
 (...)
 vpn-simultaneous-logins 0
!

! Configure tunnel-groups for users:

tunnel-group mgmt-tunnel type remote-access
tunnel-group mgmt-tunnel general-attributes
 address-pool vpn_pool
 default-group-policy mgmt-tunnel
tunnel-group mgmt-tunnel webvpn-attributes
 authentication certificate
 group-url https://ftd.example.com/mgmt enable
!
tunnel-group users_access type remote-access
tunnel-group users_access general-attributes
 default-group-policy user_access_gp
 address-pool vpn_pool
tunnel-group users_access webvpn-attributes
 authentication certificate
 group-url https://ftd.example.com/users enable
!

! Configure tunnel-group preventing VPN access:

tunnel-group no_access type remote-access
tunnel-group no_access general-attributes
 default-group-policy no_access_gp
 address-pool vpn_pool
tunnel-group no_access webvpn-attributes
 authentication certificate
!

! Create certificate maps for users:

crypto ca certificate map mgmt_tunnel_map 10
 issuer-name attr cn eq example.com
 subject-name attr ou eq machines
!
crypto ca certificate map users_access_map 10
 issuer-name attr cn eq example.com
 subject-name attr ou eq users
!

! Configure webvpn to use the certificate maps for tunnel-group mapping:

webvpn
 (...)
 certificate-group-map mgmt_tunnel_map 10 mgmt-tunnel
 certificate-group-map users_access_map 10 users_access
!

! Enable tunnel-group maps and set the default tunnel-group preventing access if a user certificate did not match any other certificate map:

tunnel-group-map enable rules
tunnel-group-map default-group no_access
!

其他資源

如需更多詳細設定說明，請參閱Cisco檔案：

• 驗證使用配置- Cisco Secure Firewall ASA系列命令參考，T - Z命令
• 證書對映配置 — Cisco Secure Firewall ASA系列命令參考，T - Z命令
• 隧道組對映配置 — Cisco Secure Firewall ASA系列命令參考，T - Z命令
• Tunnel-Group-Map Enable Configuration - Cisco Secure Firewall ASA Series Command Reference， T - Z Commands
• Cisco ASA軟體和FTD軟體信任點配置預設值

證書安裝

自簽名證書註冊

1. （可選）建立具有特定金鑰大小的命名金鑰對。

   附註：預設情況下，使用名為Default-RSA-Key且大小為2048的RSA金鑰；但是，建議對每個證書使用唯一名稱，以便它們不使用相同的私有/公共金鑰對。

   ASAv(config)# crypto key generate rsa label SELF-SIGNED-KEYPAIR modulus 2048
   INFO: The name for the keys will be: SELF-SIGNED-KEYPAIR
   Keypair generation process begin. Please wait...

   生成的金鑰對可以使用命令檢視 show crypto key mypubkey rsa.

   ASAv# show crypto key mypubkey rsa
   (...)
   Key pair was generated at: 14:52:49 CEDT Jul 15 2022
   Key name: SELF-SIGNED-KEYPAIR
   Usage: General Purpose Key
   Key Size (bits): 2048
   Storage: config
   Key Data:
   
   30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
   ...
   59dcd7d7 c3ee77f5 bbd0988d 515e390e b8d95177 dfaf6b94 a9df474b 1ec3b4a4
   af020301 0001

2. 建立具有特定名稱的信任點。自行配置註冊型別。

   ASAv(config)# crypto ca trustpoint SELF-SIGNED
   ASAv(config-ca-trustpoint)# enrollment self

3. 配置完全限定域名(FQDN)和使用者名稱。

   注意：FQDN引數必須與證書使用的ASA介面的FQDN或IP地址匹配。此引數設定證書的使用者替代名稱(SAN)。

   ASAv(config-ca-trustpoint)# fqdn asavpn.example.com
   ASAv(config-ca-trustpoint)# subject-name CN=asavpn.example.com,O=Example Inc,C=US,St=California,L=San Jose

4. （可選）配置步驟1中建立的金鑰對名稱。如果使用預設金鑰對，則不需要此名稱。

   ASAv(config-ca-trustpoint)# keypair SELF-SIGNED-KEYPAIR
   ASAv(config-ca-trustpoint)# exit

5. 註冊信任點並生成證書。

   ASAv(config)# crypto ca enroll SELF-SIGNED
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.
   
   Would you like to continue with this enrollment? [yes/no]: yes
   % The fully-qualified domain name in the certificate will be: asa.example.com
   % Include the device serial number in the subject name? [yes/no]: no
   Generate Self-Signed Certificate? [yes/no]: yes
   ASAv(config)# exit

6. 完成後，可以使用命令檢視新的自簽名證show crypto ca certificates 書。

   ASAv# show crypto ca certificates SELF-SIGNED
   Certificate
   Status: Available
   Certificate Serial Number: 62d16084
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Subject Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Validity Date:
   start date: 15:00:58 CEDT Jul 15 2022
   end date: 15:00:58 CEDT Jul 12 2032
   Storage: config
   Associated Trustpoints: SELF-SIGNED

按證書簽名請求(CSR)註冊

1. （可選）建立具有特定金鑰大小的命名金鑰對。

   附註：預設情況下，使用名為Default-RSA-Key且大小為2048的RSA金鑰；但是，建議對每個證書使用唯一名稱，以便它們不使用相同的私有/公共金鑰對。

   ASAv(config)# crypto key generate rsa label CA-SIGNED-KEYPAIR modulus 2048
   INFO: The name for the keys will be: CA-SIGNED-KEYPAIR
   Keypair generation process begin. Please wait...

   生成的金鑰對可以使用命令檢視 show crypto key mypubkey rsa.

   ASAv# show crypto key mypubkey rsa
   (...)
   Key pair was generated at: 14:52:49 CEDT Jul 15 2022
   Key name: CA-SIGNED-KEYPAIR
   Usage: General Purpose Key
   Key Size (bits): 2048
   Storage: config
   Key Data:
   
   30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
   ...
   59dcd7d7 c3ee77f5 bbd0988d 515e390e b8d95177 dfaf6b94 a9df474b 1ec3b4a4
   af020301 0001

2. 建立具有特定名稱的信任點。配置註冊型別終端。

   ASAv(config)# crypto ca trustpoint CA-SIGNED
   ASAv(config-ca-trustpoint)# enrollment terminal

3. 配置完全限定域名和使用者名稱。FQDN和主題CN引數必須與使用證書的服務的FQDN或IP地址匹配。

   ASAv(config-ca-trustpoint)# fqdn asavpn.example.com
   ASAv(config-ca-trustpoint)# subject-name CN=asavpn.example.com,O=Example Inc,C=US,St=California,L=San Jose

4. （可選）配置在步驟1中建立的金鑰對名稱。

   ASAv(config-ca-trustpoint)# keypair CA-SIGNED-KEYPAIR

5. （可選）配置證書撤銷檢查方法 — 使用證書撤銷清單(CRL)或線上證書狀態協定(OCSP)。 預設情況下，證書吊銷檢查處於禁用狀態。

   ASAv(config-ca-trustpoint)# revocation-check ocsp

6. （可選）對信任點進行身份驗證，並安裝將身份證書簽名為受信任的CA證書。如果在此步驟中未安裝，則稍後可以將CA證書與身份證書一起安裝。

   ASAv(config)# crypto ca authenticate CA-SIGNED
   Enter the base 64 encoded CA certificate.
   End with the word "quit" on a line by itself
   
   ASAv(config)# crypto ca authenticate CA-SIGNED
   Enter the base 64 encoded CA certificate.
   End with the word "quit" on a line by itself
   
   -----BEGIN CERTIFICATE-----
   MIIDXDCCAkSgAwIBAgIIDM/QY/h29+kwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
   BhMCUEwxDzANBgNVBAoTBnd3LXZwbjEMMAoGA1UECxMDbGFiMRcwFQYDVQQDEw5j
   YS5leGFtcGxlLmNvbTAeFw0xNTAyMDYxNDEwMDBaFw0zMDAyMDYxNDEwMDBaMEUx
   CzAJBgNVBAYTAlBMMQ8wDQYDVQQKEwZ3dy12cG4xDDAKBgNVBAsTA2xhYjEXMBUG
   A1UEAxMOY2EuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQDI6pth5KFFTB29LynOg9/CTiOGYa+WFTcZXSLHZA6WTUzLYM19IbSFHWa6
   gTeBnHqToLRnQoB51QlxEA45ArL2G98aew8BMD08GXkxWayforwLA3U9WZVTZsVN
   4noWaXH1boGGD7+5vk0esJfL2B7pEhGodLh7Gki1T4KoqL/lDM9LqkzOctZkCT7f
   SkXvFik1Z1cZEGn6b2umnIqaVZ81ewIuTHOX48ls3uxTPH8+B5QG0+d1waOsbCWk
   oK5sEPpHZ3IQuVxGiirp/zmomzxl4G/tel6eyMOpjpnVtDYjQ9HNkQdQT5LKwRsX
   Oj9xKnYCbPfg3p2FdH7wJh1lK3prAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYD
   VR0OBBYEFE55kZsbra9b9tLFV52U47em9uXaMB8GA1UdIwQYMBaAFE55kZsbra9b
   9tLFV52U47em9uXaMA0GCSqGSIb3DQEBCwUAA4IBAQArsXlFwK3jlNBwOsYh5mqT
   cGqeyDMRhs3Rs/wD25M2wkAF4AYZHgN9gK9VCK+ModKMQZy4X/uhj65NDU7oFf6f
   z9kqaRijsx153jV/YLk8E9oAIatnA/fQfX6V+h74yqucfF1js3d1FjyV14odRPwM
   0jRyjalH56BFlackNc7KRddtVxYB9sfEbFhN8odlBvnUedxGAJFHqxEQKmBE+h4w
   gW8YnHOvM08svyTXSLlJf0UCdmAY+lG0gqhUlSlkFBtLRt6Z2uCot00NoMHI0hh5
   dcVcovOi/PAxnrAlJ+Ng2jrWFN3MXWZO4S3CHYMGkWqHkaHChlqDOx9badgfsyzz
   -----END CERTIFICATE-----
   
   quit
   
   INFO: Certificate has these attributes:
   Fingerprint: e9ad165c 2673424c 6e7e0c5f b30b4a02
   Do you accept this certificate? [yes/no]: yes
   WARNING: CA certificates can be used to validate VPN connections,
   by default. Please adjust the validation-usage of this
   trustpoint to limit the validation scope, if necessary.
   
   Trustpoint CA certificate accepted.
   
   % Certificate successfully imported

7. 註冊證書並生成可複製並傳送到CA進行簽名的CSR。CSR包括信任點使用的金鑰對中的公鑰。只有具有此金鑰對的裝置才能使用已簽名的證書。

   附註：  簽署CSR和建立簽名身份證書時，CA可以更改信任點中定義的FQDN和主題名稱引數。

   ASAv(config)# crypto ca enroll CA-SIGNED
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.
   
   Would you like to continue with this enrollment? [yes/no]: yes
   % Start certificate enrollment ..
   % The subject name in the certificate will be: CN=asavpn.example.com,O=Example Inc,C=US,St=California,L=San Jose
   
   % The fully-qualified domain name in the certificate will be: asavpn.example.com
   
   % Include the device serial number in the subject name? [yes/no]: no
   
   Display Certificate Request to terminal? [yes/no]: yes
   Certificate Request follows:
   -----BEGIN CERTIFICATE REQUEST-----
   MIIDHzCCAgcCAQAwgYsxGzAZBgNVBAMMEmFzYXZwbi5leGFtcGxlLmNvbTEUMBIG
   A1UECgwLRXhhbXBsZSBJbmMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
   bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEhMB8GCSqGSIb3DQEJAgwSYXNhdnBuLmV4
   YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5cvZVr1j
   Me8Mz4T3vgT1Z8DAAR0avs/TBdYiqGdjyiV/3K92IIT/0r8cuAUe5rR4sjTvaXYC
   SycSbwKc4kZbr3x120ss8Itd5g4kBdrUSCprl+VMiTphQgBTAqRPk0vFX4rC8k/T
   0PFDE+2gjT1wMn9reb92jYrolGK4MWZdCzqowLPjEj5cCwu8Pv5h4hqTpudms+v4
   g3R1OODmeyv4uEMYLS/noPxZXZ8YiQMiG2EP2Bg0KOT3Fzx0mVuekonQtRhiZt+c
   zyyfSRoqyBSakEZBwABod8q1Eg5J/pH130JlitOUJEyIlFoVHqv3jL7zfA9ilInu
   NaHkir062VQNXwIDAQABoE4wDwYJKoZIhvcNAQkHMQITADA7BgkqhkiG9w0BCQ4x
   LjAsMAsGA1UdDwQEAwIFoDAdBgNVHREEFjAUghJhc2F2cG4uZXhhbXBsZS5jb20w
   DQYJKoZIhvcNAQELBQADggEBAM3Q3zvp9G3MWP7R4wkpnBOH2CNUmPENIhHNjQjH
   Yh08EOvWyoo9FaLfHKVDLvFXh0vn5osXBmPLuVps6Ta4sBRUNicRoAmmA0pDWL9z
   Duu8BQnBGuN08T/H3ydjaNoPJ/f6EZ8gXY29NXEKb/+A2Tt0VVUTsYreGS+84Gqo
   ixFOtW8R50IXg+afAVOAh81xVUFOvuAi9DsiuvufMb4wdngQSOel/B9Zgp/BfGMl
   l0ApgejACoJAGmyrn9Tj6Z/6/lbpKBKpf4VE5UXdj7WLAjw5JF/X2NrH3/cQsczi
   G2Yg2dr3WpkTIY2W/kVohTiohVRkgXOMCecUaMlYxJyLTRQ=
   -----END CERTIFICATE REQUEST-----
   
   Redisplay enrollment request? [yes/no]: no

8. 匯入身份證書。簽署CSR後，會提供身份證書。

   ASAv(config)# crypto ca import CA-SIGNED certificate
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.

   Would you like to continue with this enrollment? [yes/no]: yes
   
   % The fully-qualified domain name in the certificate will be: asavpn.example.com
   
   Enter the base 64 encoded certificate.
   End with the word "quit" on a line by itself
   -----BEGIN CERTIFICATE-----
   MIIDoTCCAomgAwIBAgIIKbLY8Qt8N5gwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
   BhMCUEwxDzANBgNVBAoTBnd3LXZwbjEMMAoGA1UECxMDbGFiMRcwFQYDVQQDEw5j
   (...)
   kzAihRuFqmYYUeQP2Byp/S5fNqUcyZfAczIHt8BcPmVO9l6iSF/ULGlzXMSOUX6N
   d/LHXwrcTpc1zU+7qx3TpVDZbJlwwF+BWTBlxgM0BosJx65u/n75KnbBhGUE75jV
   HX2eRzuhnnSVExCoeyed7DLiezD8
   -----END CERTIFICATE-----
   quit
   INFO: Certificate successfully imported

9. 驗證憑證鏈結。完成後，可以使用命令檢視新的身份證書和CA證show crypto ca certificates 書。

   ASAv# show crypto ca certificates CA-SIGNED
   CA Certificate
   Status: Available
   Certificate Serial Number: 0ccfd063f876f7e9
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Validity Date:
   start date: 15:10:00 CEST Feb 6 2015
   end date: 15:10:00 CEST Feb 6 2030
   Storage: config
   Associated Trustpoints: CA-SIGNED
   
   Certificate
   Status: Available
   Certificate Serial Number: 29b2d8f10b7c3798
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   unstructuredName=asavpn.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asavpn.example.com
   Validity Date:
   start date: 15:33:00 CEDT Jul 15 2022
   end date: 15:33:00 CEDT Jul 15 2023
   Storage: config
   Associated Trustpoints: CA-SIGNED

PKCS12註冊

使用從您的CA接收的PKCS12檔案，該檔案包含金鑰對、身份證書和（可選）CA證書鏈。

1. 建立具有特定名稱的信任點。

   ASAv(config)# crypto ca trustpoint Trustpoint-PKCS12
   ASAv(config-ca-trustpoint)# exit

   附註：  匯入的金鑰對以信任點名稱命名。

2. （可選）配置證書撤銷檢查方法 — 使用證書撤銷清單(CRL)或線上證書狀態協定(OCSP)。 預設情況下，證書吊銷檢查處於禁用狀態。

   ASAv(config-ca-trustpoint)# revocation-check ocsp

3. 從PKCS12檔案匯入證書。

   附註：  PKCS12檔案需要進行base64編碼。如果在文本編輯器中開啟檔案時看到可列印字元，則該檔案為base64編碼。若要將二進位制檔案轉換為base64編碼格式，可使用openssl。

   openssl enc -base64 -in asavpnpkcs12chain.example.com.pfx -out asavpnpkcs12chain.example.com.pfx.txt

   指令:

   crypto ca import trustpoint pkcs12 passphrase [ nointeractive ]

   ASAv(config)# crypto ca import TP-PKCS12 pkcs12 cisco123
   
   Enter the base 64 encoded pkcs12.
   End with the word "quit" on a line by itself:
   MIIN4gIBAzCCDawGCSqGSIb3DQEHAaCCDZ0Egg2ZMIINlTCCCBcGCSqGSIb3DQEH
   BqCCCAgwgggEAgEAMIIH/QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIiK0c
   wqE3Tm0CAggAgIIH0NjxmJBuoPRuYl1VxTiawHzsL8kIl03lOj7tcWmECBwzsKKq
   (...)
   PXowMwYJKoZIhvcNAQkUMSYeJABhAHMAYQB2AHAAbgAuAGUAeABhAG0AcABsAGUA
   LgBjAG8AbTAtMCEwCQYFKw4DAhoFAAQUPXZZtBeqlh98wQljHW7J/hqoKcwECD05
   dnxCNJx6
   quit
   
   Trustpoint CA certificate accepted.
   WARNING: CA certificates can be used to validate VPN connections,
   by default. Please adjust the validation-usage of this
   trustpoint to limit the validation scope, if necessary.
   
   INFO: Import PKCS12 operation completed successfully.
   

4. 驗證安裝的證書。

   ASAv# show crypto ca certificates TP-PKCS12
   
   Certificate
   Status: Available
   Certificate Serial Number: 2b368f75e1770fd0
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   unstructuredName=asavpn.example.com
   CN=asavpnpkcs12chain.example.com
   O=Example Inc
   L=San Jose
   ST=California
   C=US
   Validity Date:
   start date: 15:33:00 CEDT Jul 15 2022
   end date: 15:33:00 CEDT Jul 15 2023
   Storage: config
   Associated Trustpoints: TP-PKCS12
   
   CA Certificate
   Status: Available
   Certificate Serial Number: 0ccfd063f876f7e9
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Validity Date:
   start date: 15:10:00 CEST Feb 6 2015
   end date: 15:10:00 CEST Feb 6 2030
   Storage: config
   Associated Trustpoints: TP-PKCS12

   在上一個示例中，PKCS12包含身份和CA證書 — 兩個條目 — 證書和CA證書。否則，只有憑證存在。

5. （可選）驗證信任點。

   如果PKCS12不包含CA證書，並且以PEM格式單獨獲取CA證書，則可以手動安裝該證書。

   ASAv(config)# crypto ca authenticate TP-PKCS12
   Enter the base 64 encoded CA certificate.
   End with the word "quit" on a line by itself
   
   -----BEGIN CERTIFICATE-----
   MIIDXDCCAkSgAwIBAgIIDM/QY/h29+kwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
   BhMCUEwxDzANBgNVBAoTBnd3LXZwbjEMMAoGA1UECxMDbGFiMRcwFQYDVQQDEw5j
   (...)
   gW8YnHOvM08svyTXSLlJf0UCdmAY+lG0gqhUlSlkFBtLRt6Z2uCot00NoMHI0hh5
   dcVcovOi/PAxnrAlJ+Ng2jrWFN3MXWZO4S3CHYMGkWqHkaHChlqDOx9badgfsyzz
   -----END CERTIFICATE-----
   quit
   
   INFO: Certificate has these attributes:
   Fingerprint: e9ad165c 2673424c 6e7e0c5f b30b4a02
   Do you accept this certificate? [yes/no]: yes
   
   WARNING: CA certificates can be used to validate VPN connections,
   by default. Please adjust the validation-usage of this
   trustpoint to limit the validation scope, if necessary.
   
   Trustpoint CA certificate accepted.
   
   % Certificate successfully imported
   

證書續訂

續訂自簽名證書

1. 檢查當前證書到期日期。

   # show crypto ca certificates SELF-SIGNED
   Certificate
   Status: Available
   Certificate Serial Number: 62d16084
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Subject Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Validity Date:
   start date: 15:00:58 CEDT Jul 15 2022
   end date: 15:00:58 CEDT Jul 12 2032
   Storage: config
   Associated Trustpoints: SELF-SIGNED

2. 重新生成證書。

   ASAv# conf t
   ASAv(config)# crypto ca enroll SELF-SIGNED
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.
   Would you like to continue with this enrollment? [yes/no]: yes
   
   WARNING: Trustpoint TP has already enrolled and has
   a device cert issued to it.
   If you successfully re-enroll this trustpoint,
   the current certificate will be replaced.
   Do you want to continue with re-enrollment? [yes/no]: yes
   % The fully-qualified domain name in the certificate will be: asa.example.com
   % Include the device serial number in the subject name? [yes/no]: no
   Generate Self-Signed Certificate? [yes/no]: yes
   ASAv(config)# exit
   

3. 驗證新憑證。

   ASAv# show crypto ca certificates SELF-SIGNED
   Certificate
   Status: Available
   Certificate Serial Number: 62d16085
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Subject Name:
   unstructuredName=asa.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asa.example.com
   Validity Date:
   start date: 15:09:09 CEDT Jul 20 2022
   end date: 15:09:09 CEDT Jul 17 2032
   Storage: config
   Associated Trustpoints: SELF-SIGNED
   

使用證書簽名請求(CSR)註冊續訂證書

附註：如果需要為新證書更改任何新證書元素（subject/fqdn、金鑰對），則建立新證書。請參閱使用憑證簽署請求(CSR)進行註冊部分。下一個過程只是刷新證書到期日期。

1. 檢查當前證書到期日期。

   ASAv# show crypto ca certificates CA-SIGNED
   
   Certificate
   Status: Available
   Certificate Serial Number: 29b2d8f10b7c3798
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   unstructuredName=asavpn.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asavpn.example.com
   Validity Date:
   start date: 15:33:00 CEDT Jul 15 2022
   end date: 15:33:00 CEDT Jul 15 2023
   Storage: config
   Associated Trustpoints: CA-SIGNED
   
   Certificate
   Subject Name:
   Status: Pending terminal enrollment
   Key Usage: General Purpose
   Fingerprint: 790aa617 c30c6894 0bdc0327 0d60b032
   Associated Trustpoint: CA-SIGNED
   

2. 註冊證書。生成可以複製並傳送到CA進行簽名的CSR。CSR包括信任點使用的金鑰對中的公鑰 — 只有具有該金鑰對的裝置才能使用已簽名的證書。

   附註：簽署CSR和建立簽名身份證書時，CA可以更改信任點中定義的FQDN和主題名稱引數。

   附註：對於同一信任點，若沒有更改主題/fqdn和金鑰對配置，後續註冊將給出與初始註冊相同的CSR。

   ASAv# conf t
   ASAv(config)# crypto ca enroll CA-SIGNED
   
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.
   Would you like to continue with this enrollment? [yes/no]: yes
   
   % Start certificate enrollment ..
   % The subject name in the certificate will be: CN=asavpn.example.com,O=Example Inc,C=US,St=California,L=San Jose
   % The fully-qualified domain name in the certificate will be: asavpn.example.com
   % Include the device serial number in the subject name? [yes/no]: no
   Display Certificate Request to terminal? [yes/no]: yes
   Certificate Request follows:
   
   -----BEGIN CERTIFICATE REQUEST-----
   MIIDHzCCAgcCAQAwgYsxGzAZBgNVBAMMEmFzYXZwbi5leGFtcGxlLmNvbTEUMBIG
   A1UECgwLRXhhbXBsZSBJbmMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
   bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEhMB8GCSqGSIb3DQEJAgwSYXNhdnBuLmV4
   YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5cvZVr1j
   Me8Mz4T3vgT1Z8DAAR0avs/TBdYiqGdjyiV/3K92IIT/0r8cuAUe5rR4sjTvaXYC
   SycSbwKc4kZbr3x120ss8Itd5g4kBdrUSCprl+VMiTphQgBTAqRPk0vFX4rC8k/T
   0PFDE+2gjT1wMn9reb92jYrolGK4MWZdCzqowLPjEj5cCwu8Pv5h4hqTpudms+v4
   g3R1OODmeyv4uEMYLS/noPxZXZ8YiQMiG2EP2Bg0KOT3Fzx0mVuekonQtRhiZt+c
   zyyfSRoqyBSakEZBwABod8q1Eg5J/pH130JlitOUJEyIlFoVHqv3jL7zfA9ilInu
   NaHkir062VQNXwIDAQABoE4wDwYJKoZIhvcNAQkHMQITADA7BgkqhkiG9w0BCQ4x
   LjAsMAsGA1UdDwQEAwIFoDAdBgNVHREEFjAUghJhc2F2cG4uZXhhbXBsZS5jb20w
   DQYJKoZIhvcNAQELBQADggEBAM3Q3zvp9G3MWP7R4wkpnBOH2CNUmPENIhHNjQjH
   Yh08EOvWyoo9FaLfHKVDLvFXh0vn5osXBmPLuVps6Ta4sBRUNicRoAmmA0pDWL9z
   Duu8BQnBGuN08T/H3ydjaNoPJ/f6EZ8gXY29NXEKb/+A2Tt0VVUTsYreGS+84Gqo
   ixFOtW8R50IXg+afAVOAh81xVUFOvuAi9DsiuvufMb4wdngQSOel/B9Zgp/BfGMl
   l0ApgejACoJAGmyrn9Tj6Z/6/lbpKBKpf4VE5UXdj7WLAjw5JF/X2NrH3/cQsczi
   G2Yg2dr3WpkTIY2W/kVohTiohVRkgXOMCecUaMlYxJyLTRQ=
   -----END CERTIFICATE REQUEST-----
   
   Redisplay enrollment request? [yes/no]: no
   

3. 匯入身份證書。簽署CSR後，會提供身份證書。

   ASAv(config)# crypto ca import CA-SIGNED certificate
   
   WARNING: The certificate enrollment is configured with an fqdn
   that differs from the system fqdn. If this certificate will be
   used for VPN authentication this may cause connection problems.
   Would you like to continue with this enrollment? [yes/no]: yes
   
   % The fully-qualified domain name in the certificate will be: asavpn.example.com
   
   Enter the base 64 encoded certificate.
   End with the word "quit" on a line by itself
   
   -----BEGIN CERTIFICATE-----
   MIIDgTCCAmmgAwIBAgIIMA+aIxCtNtMwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
   BhMCUEwxDzANBgNVBAoTBnd3LXZwbjEMMAoGA1UECxMDbGFiMRcwFQYDVQQDEw5j
   YS5leGFtcGxlLmNvbTAeFw0yMjA3MjAxNDA5MDBaFw0yMzA3MjAxNDA5MDBaMIGL
   MRswGQYDVQQDDBJhc2F2cG4uZXhhbXBsZS5jb20xFDASBgNVBAoMC0V4YW1wbGUg
   SW5jMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwI
   U2FuIEpvc2UxITAfBgkqhkiG9w0BCQIMEmFzYXZwbi5leGFtcGxlLmNvbTCCASIw
   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOXL2Va9YzHvDM+E974E9WfAwAEd
   Gr7P0wXWIqhnY8olf9yvdiCE/9K/HLgFHua0eLI072l2AksnEm8CnOJGW698ddtL
   LPCLXeYOJAXa1Egqa5flTIk6YUIAUwKkT5NLxV+KwvJP09DxQxPtoI09cDJ/a3m/
   do2K6JRiuDFmXQs6qMCz4xI+XAsLvD7+YeIak6bnZrPr+IN0dTjg5nsr+LhDGC0v
   56D8WV2fGIkDIhthD9gYNCjk9xc8dJlbnpKJ0LUYYmbfnM8sn0kaKsgUmpBGQcAA
   aHfKtRIOSf6R9d9CZYrTlCRMiJRaFR6r94y+83wPYpSJ7jWh5Iq9OtlUDV8CAwEA
   AaMuMCwwCwYDVR0PBAQDAgWgMB0GA1UdEQQWMBSCEmFzYXZwbi5leGFtcGxlLmNv
   bTANBgkqhkiG9w0BAQsFAAOCAQEAfQUchY4UjhjkySMJAh7NT3TT5JJ4NzqW8qHa
   wNq+YyHR+sQ6G3vn+6cYCU87tqWlY3fXC27TwweREwMbq8NsJrr80hsChYby8kwE
   LnTkrN7dJBl7u5OVQ3DRjfmFrJ9LEUaYZx1HYvcS1kAeEeVB4VJwVzeujWepcmEM
   p7cB6veTcF9rulDVRImd0KYEOx+HYav2INT2udc0G1yDwml/mqdf0/ON2SpBBpnE
   gtiKshtsST/NAw25WjkrDIfN8uR2z5xpzxnEDUBoHOipGlgb1I6G1ARXWO+LwfBl
   n1QD5b/RdQOUbLCpfKNPdE/9wNnoXGDlJ7qfZxrO4T7ld2Idug==
   -----END CERTIFICATE-----
   quit
   
   INFO: Certificate successfully imported

4. 驗證新證書到期日期。

   ASAv# show crypto ca certificates CA-SIGNED
   Certificate
   Status: Available
   Certificate Serial Number: 300f9a2310ad36d3
   Certificate Usage: General Purpose
   Public Key Type: RSA (2048 bits)
   Signature Algorithm: RSA-SHA256
   Issuer Name:
   CN=ca.example.com
   OU=lab
   O=ww-vpn
   C=PL
   Subject Name:
   unstructuredName=asavpn.example.com
   L=San Jose
   ST=California
   C=US
   O=Example Inc
   CN=asavpn.example.com
   Validity Date:
   start date: 16:09:00 CEDT Jul 20 2022
   end date: 16:09:00 CEDT Jul 20 2023
   Storage: config
   Associated Trustpoints: CA-SIGNED
   

PKCS12續訂

無法在使用PKCS12檔案註冊的信任點中續訂證書。要安裝新證書，需要建立新的信任點。

1. 建立具有特定名稱的信任點。

   ASAv(config)# crypto ca trustpoint Trustpoint-PKCS12-2022
   ASAv(config-ca-trustpoint)# exit

2. （可選）配置證書撤銷檢查方法 — 使用證書撤銷清單(CRL)或線上證書狀態協定(OCSP)。 預設情況下，證書吊銷檢查處於禁用狀態。

   ASAv(config-ca-trustpoint)# revocation-check ocsp

3. 從PKCS12檔案匯入新證書。

   附註：  PKCS12檔案需要進行base64編碼。如果在文本編輯器中開啟檔案時看到可列印字元，則該檔案為base64編碼。要將二進位制檔案轉換為base64編碼形式，可以使用openssl。

   openssl enc -base64 -in asavpnpkcs12chain.example.com.pfx -out asavpnpkcs12chain.example.com.pfx.txt

   ASAv(config)# crypto ca import TP-PKCS12-2022 pkcs12 cisco123
   
   Enter the base 64 encoded pkcs12.
   End with the word "quit" on a line by itself:
   MIIN4gIBAzCCDawGCSqGSIb3DQEHAaCCDZ0Egg2ZMIINlTCCCBcGCSqGSIb3DQEH
   BqCCCAgwgggEAgEAMIIH/QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIiK0c
   wqE3Tm0CAggAgIIH0NjxmJBuoPRuYl1VxTiawHzsL8kIl03lOj7tcWmECBwzsKKq
   (...)
   PXowMwYJKoZIhvcNAQkUMSYeJABhAHMAYQB2AHAAbgAuAGUAeABhAG0AcABsAGUA
   LgBjAG8AbTAtMCEwCQYFKw4DAhoFAAQUPXZZtBeqlh98wQljHW7J/hqoKcwECD05
   dnxCNJx6
   quit
   
   Trustpoint CA certificate accepted.
   WARNING: CA certificates can be used to validate VPN connections,
   by default. Please adjust the validation-usage of this
   trustpoint to limit the validation scope, if necessary.
   
   INFO: Import PKCS12 operation completed successfully.
   

   附註：  如果新PKCS12檔案包含身份證書，該身份證書與舊證書使用的金鑰對相同，則新信任點引用舊金鑰對名稱。
   範例：

   ASAv(config)# crypto ca import TP-PKCS12-2022 pkcs12 cisco123
   
   Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself:
   
   MIIN4gIBAzCCDawGCSqGSIb3DQEHAaCCDZ0Egg2ZMIINlTCCCBcGCSqGSIb3DQEH
   ...
   dnxCNJx6
   quit
   
   WARNING: Identical public key already exists as TP-PKCS12
   
   ASAv(config)# show run crypto ca trustpoint TP-PKCS12-2022
   crypto ca trustpoint TP-PKCS12-2022
    keypair TP-PKCS12
    no validation-usage crl configure
   

4. 驗證安裝的證書。

   ASAv# show crypto ca certificates TP-PKCS12-2022
   
   Certificate
    Status: Available 
    Certificate Serial Number: 2b368f75e1770fd0
    Certificate Usage: General Purpose
    Public Key Type: RSA (2048 bits)
    Signature Algorithm: RSA-SHA256
    Issuer Name: CN=ca.example.com OU=lab O=ww-vpn C=PL
    Subject Name: unstructuredName=asavpn.example.com CN=asavpnpkcs12chain.example.com O=Example Inc L=San Jose ST=California C=US
    Validity Date:
    start date: 15:33:00 CEDT Jul 15 2022
    end date: 15:33:00 CEDT Jul 15 2023
    Storage: config
    Associated Trustpoints: TP-PKCS12-2022
   
   CA Certificate
    Status: Available
    Certificate Serial Number: 0ccfd063f876f7e9
    Certificate Usage: General Purpose
    Public Key Type: RSA (2048 bits)
    Signature Algorithm: RSA-SHA256 
    Issuer Name: CN=ca.example.com OU=lab O=ww-vpn C=PL
    Subject Name: CN=ca.example.com OU=lab O=ww-vpn C=PL
    Validity Date:
    start date: 15:10:00 CEST Feb 6 2015
    end date: 15:10:00 CEST Feb 6 2030
    Storage: config
    Associated Trustpoints: TP-PKCS12-2022
   

   在上一個示例中，PKCS12包含身份證書和CA證書，因此，在匯入後會顯示兩個條目：憑證和CA憑證。否則，僅存在證書條目。

5. （可選）驗證信任點。

   如果PKCS12不包含CA證書，並且以PEM格式單獨獲取CA證書，則可以手動安裝該證書。

   ASAv(config)# crypto ca authenticate TP-PKCS12-2022
   Enter the base 64 encoded CA certificate.
   End with the word "quit" on a line by itself
   
   -----BEGIN CERTIFICATE-----
   MIIDXDCCAkSgAwIBAgIIDM/QY/h29+kwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UE
   BhMCUEwxDzANBgNVBAoTBnd3LXZwbjEMMAoGA1UECxMDbGFiMRcwFQYDVQQDEw5j
   (...)
   gW8YnHOvM08svyTXSLlJf0UCdmAY+lG0gqhUlSlkFBtLRt6Z2uCot00NoMHI0hh5
   dcVcovOi/PAxnrAlJ+Ng2jrWFN3MXWZO4S3CHYMGkWqHkaHChlqDOx9badgfsyzz
   -----END CERTIFICATE-----
   quit
   
   INFO: Certificate has these attributes:
   Fingerprint: e9ad165c 2673424c 6e7e0c5f b30b4a02
   Do you accept this certificate? [yes/no]: yes
   
   WARNING: CA certificates can be used to validate VPN connections,
   by default. Please adjust the validation-usage of this
   trustpoint to limit the validation scope, if necessary.
   
   Trustpoint CA certificate accepted.
   
   % Certificate successfully imported
   

6. 重新配置ASA以使用新信任點而不是舊信任點。

範例：

ASAv# show running-config ssl trust-point 
ssl trust-point TP-PKCS12
ASAv# conf t
ASAv(config)#ssl trust-point TP-PKCS12-2022
ASAv(config)#exit

附註：信任點可以在不同的配置元素中使用。檢查使用舊信任點的配置。

相關資訊

如何在ASA上配置時間設定。

檢查此參考以瞭解在ASA上正確設定時間和日期所需的步驟。CLI手冊1:Cisco安全防火牆ASA系列常規操作CLI配置指南，9.18