1. 程式人生 > >SM2-DE

SM2-DE

valid associate ast pki sign inpu 加密 style 粘貼

SM2單證書認證

下端 導入根證書以及通用證書[具有簽名和加密證書的功能]和遠端的證書[獲取遠端公鑰信息]

1、配置證書域

crypto ca identity gernal 
 exit  

2、通過復制粘貼的方式導入根證書以及設備證書:

JR-29(config)#crypto ca import certificate to gernal % Input the certificate data, press <Enter> twice to finish: -----BEGIN CERTIFICATE----- MIIBDzCBtQIEVDj6BDAKBggqgRzPVQGDdTASMRAwDgYDVQQDDAdzbTJyb290MB4X DTE0MTAxMTA5MzYwMFoXDTI0MTAwODA5MzYwMFowEjEQMA4GA1UEAwwHc20yX2Vu YzBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABHMWXxhtoCSlKOt9/A4S5OJQxEqX qzXjox3VaC4QkjkwRfUtxlqaX3r+ZHwnwaetv367KIJNyiTaYEvUxROFvTcwCgYI KoEcz1UBg3UDSQAwRgIhAJV27mJY+SHNQdfF+NyEsReD5q8MztMr5tL5A2Oe3XKK AiEAofW8H3r7FtB7yfit8t60/7NIEqSy59VppDOUItiq7lg= -----END CERTIFICATE-----

% Input the private key data, press <Enter> twice after data to finish or press <Enter> without data to ignore: -----BEGIN EC PRIVATE KEY----- MHcCAQEEIKr0NTOsTN3+U3V6C4ihXIKxvcB8+zlvFEekFwYIb04woAoGCCqBHM9V AYItoUQDQgAEcxZfGG2gJKUo6338DhLk4lDESperNeOjHdVoLhCSOTBF9S3GWppf ev5kfCfBp62/frsogk3KJNpgS9TFE4W9Nw== -----END EC PRIVATE KEY-----

% PKI: Import Certificate success.

3、查看證書:

JR-29#show crypto ca certificates Root CA Certificate: //根證書

Status: Valid

Serial Number: 00

Subject: CN=sm2root

Issuer : CN=sm2root

Validity

Start date: 2014-10-11 06:45:39

End date: 2034-10-06 06:45:39

Key Type: SM2(256 bit) Usage: Sign

Fingerprint(sm3):6b27621fef2ed9ced84d8aba1e91d53557efbe1aec582ce56300f3ef54dc5889

Fingerprint(sha1):210054dd0a4b3813110c4a18dffb162951575d08

Associated Identity: gernal

index: 7

My Certificate: //通用證書:設備證書的公鑰+私鑰

Status: Valid

Serial Number: 5438fa04

Subject: CN=sm2_enc

Issuer : CN=sm2root

Validity

Start date: 2014-10-11 09:36:00

End date: 2024-10-08 09:36:00

Key Type: SM2(256 bit)

Usage: General

Fingerprint(sm3):e69993f0ab5e1427bb8b1083b438b728a7b6342394963e4badca76a266e45a30

Fingerprint(sha1):62bb496ee7d4575701444b7c16453f1614115ac4

Associated Identity: gernal

index: 9

My Certificate:

Status: Valid

Serial Number: 5438fa02

Subject: CN=sm2_sig

Issuer : CN=sm2root

Validity Start date: 2014-10-11 09:35:59 End date: 2024-10-08 09:35:59

Key Type: SM2(256 bit)

Usage: General

Fingerprint(sm3):9ff3091d12ad208edf63cab29ace4c8abb05304a23fb3b475d3781b2e1d3b47f

Fingerprint(sha1):f30fff1c6e2a097b71ae674a43ce0e1ff5422034

Associated Identity: gernal

index: 11

Remote Certificate: //遠端證書 遠端設備的公鑰

Status: Valid

Serial Number: 5438fa04

Subject: CN=sm2_enc

Issuer : CN=sm2root

Validity Start date: 2014-10-11 09:36:00 End date: 2024-10-08 09:36:00

Key Type: SM2(256 bit)

Usage: General

Fingerprint(sm3):e69993f0ab5e1427bb8b1083b438b728a7b6342394963e4badca76a266e45a30

Fingerprint(sha1):62bb496ee7d4575701444b7c16453f1614115ac4

Associated Identity: gernal

index: 10

4、ipsec配置:

crypto tunnel 4gdx

local interface fastcellular2/0

peer address 10.0.4.254

set peer-id CN=sm2_enc //證書認證時本地遠端ID為所認證證書的名稱。

set local-id CN=sm2_sig

set authentication sm2-de //選擇單證書認證,即通用證書認證。

set sec-level basic

set auto-up

exit

crypto policy 4gdx

flow 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ip tunnel 4gdx

exit

上端配置:導入根證書以及通用證書[具有簽名和加密證書的功能]

上端導入證書的方法與下端一致,不需要導入下端的公鑰信息。

crypto tunnel 4gdx

local address 10.0.4.254

peer any set peer-id CN=sm2_sig

set local-id CN=sm2_enc

set authentication sm2-de

set sec-level basic

exit

crypto policy 4gdx

flow 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ip tunnel 4gdx set reverse-route

exit

SM2-DE