Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance
Note: The setup includes a direct connection of the router and ASA. These could be separated by many hops.
If so make sure that there is a route to get to the peer IP address. The following configuration only details the
encryption used.
If so make sure that there is a route to get to the peer IP address. The following configuration only details the
encryption used.
Steps Required to Enable the Router to use the ECDSA
Certificate Authority
Create an elliptic curve keypair.
openssl ecparam −out ca.key −name secp256r1 −genkey
1.
Create an elliptic curve self−signed certificate.
openssl req −x509 −new −key ca.key −out ca.pem −outform PEM −days 3650
2.
FlexVPN
Create domain−name and hostname, which are prerequisites in order to create an elliptic curve (EC)
keypair.
keypair.
ip domain−name cisco.com
hostname Router1
crypto key generate ec keysize 256 label router1.cisco.com
1.
Create a local trustpoint in order to gain a certificate from the CA.
crypto pki trustpoint ec_ca
enrollment terminal
subject−name cn=router1.cisco.com
revocation−check none
eckeypair router1.cisco.com
hash sha256
Note: Because the CA is offline, revocation checking is disabled; revocation checking should be
enabled for maximum security in a production environment.
enabled for maximum security in a production environment.
2.
Authenticate the trustpoint. This obtains a copy of the CAs certificate, which contains the public
key.
key.
crypto pki authenticate ec_ca
3.
You are then prompted to enter the base 64 encoded certificate of the CA. This is the file ca.pem,
which was created with OpenSSL. In order to view this file, open it in an editor or with the OpenSSL
command openssl x509 −in ca.pem. Enter quit when you paste this. Then type yes to accept.
which was created with OpenSSL. In order to view this file, open it in an editor or with the OpenSSL
command openssl x509 −in ca.pem. Enter quit when you paste this. Then type yes to accept.
4.
Enroll the router into the Public Key Infrastructure (PKI) on the CA.
crypto pki enrol ec_ca
5.
The output that you receive needs to be used in order to submit a certificate request to the CA. This
can be saved as a text file (flex.csr) and signed with the OpenSSL command.
can be saved as a text file (flex.csr) and signed with the OpenSSL command.
openssl ca −keyfile ca.key −cert ca.pem −md sha256 −in flex.csr −out flex.pem
6.
Import the certificate, which is contained within the file flex.pem, generated from the CA, into the
router after you enter this command. Then, enter quit when completed.
router after you enter this command. Then, enter quit when completed.
crypto pki import ec_ca certificate
7.