dubey/WindowsXP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WindowsXP/ds/security/services/ca/tools/cep/cepcab/mscephlp.htm
Tanishq Dubey cb60ae51e5
Initial Commit
2025-04-27 07:49:33 -04:00

161 lines
11 KiB
HTML
Raw Permalink Blame History

<!DOCtype: HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML DIR="LTR">
<HEAD>
<TITLE>>Installing Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services and Enrolling for Certificates from a Cisco Router</TITLE>
<SCRIPT LANGUAGE="JavaScript" SRC="../scripts/ntrktool.js"></SCRIPT>
</HEAD>
<BODY>
<H2>Installing Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services and Enrolling for Certificates from a Cisco Router</H2>
<P>The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on Windows&nbsp;2000 Server.</P>
<P>This tool is not installed by the <I>Windows&nbsp;2000 Resource Kit</I> Setup. To install it, use the following procedure:</P>
<H3>Before you start</H3>
<UL>
<LI><P>You must install the SCEP Add-on for Certificate Services for on a root certification authority (CA). Both enterprise root CAs and stand-alone root CAs are supported. You can install the SCEP Add-on for Certificate Services on a subordinate CA. However, as of October 1999, existing versions of Cisco routers will not be able to request certificates from the subordinate CA.</P></LI>
<LI><P>The CA should be in a separate certification hierarchy from all other CAs in your organization.</P></LI>
<LI><P>You need to have proper administrative privileges to install the SCEP Add-on for Certificate Services. By default, you need to be a member of the Enterprise Administrators group or the root Domain Administrators group to install this add-on on an enterprise CA, or you need to be a member of the computer administrators group to install this add-on on a standalone CA</P></LI>
<LI><P>The SCEP Add-on for Certificate Services cannot be installed on a Windows&nbsp;2000 CA that has any non-alphanumeric characters (&amp;,*, :, ;, ', &quot;, etc.) in its name.</P></LI>
</UL>
<H3>To install SCEP Add-on for Certificate Services on a Windows&nbsp;2000 root CA</H3>
<OL>
<LI><P>Log on with the appropriate administrative privileges to the server on which the root CA is installed.</P></LI>
<LI><P>
Click <B>Start</B>, click <B>Run</B>, then type <I>drive</I><B>:cepsetup.exe</B> where <I>drive</I> is the CD-ROM drive where the Windows&nbsp;2000 Resource Kit CD is located or the disk drive where you have downloaded cepsetup.exe.</P></LI>
<LI><P>In the SCEP Add-on for Certificate Services Setup wizard:</P>
<UL>
<LI><P>Select whether or not you want to require a challenge phrase for router certificate enrollment.</P></LI>
<LI><P>Enter information about who is enrolling for the Registration Authority (RA) certificate, which will later allow certificates to be requested from the CA on behalf of the router.</P></LI>
<LI><P>(Optional) Select Advanced Enrollment Options if you want to specify the cryptographic service provider (CSP) and key lengths for the RA signature and encryption keys.</P></LI>
<LI><P>The URL - <B>http://<I>URLHostName</I>/certsrv/mscep/mscep.dll</B> - is displayed when the SCEP Setup wizard finishes and confirms a successful installation. <I>URLHostName</I> is the name of the server which hosts the CA's enrollment Web pages (also referred to as Certificate Services Web pages).</P>
</LI>
</UL>
</LI>
</OL>
<H3>To enroll for certificates from a Cisco router</H3>
<P><B>Remove all current certificates stored on the router and configure the router for new certificate enrollment</B></P>
<OL>
<LI><P>At the <b><i>routername</i>&gt;</B> prompt, type <B>EN</B></P></LI>
<LI><P>Type in your password. You are now in &quot;Enable Mode&quot; on the router.</P></LI>
<LI><P>At the <b><i>routername</i>#</B> prompt, type <B>config t</B>.</P></LI>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>no crypt ca identity <I>ExistingCAIdentityName</I></B>.</P></LI>
<LI><P>Type <B>y</B> to destroy all certificates.</P></LI>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>crypt ca identity <I>NewCAIdentityName</I></B>.</P></LI>
<LI><P>At the <b><i>routername</i>(ca-identity)#</B> prompt, type <B>enrollment mode ra</B>.</P></LI>
<P><B>NOTE:</B> Do <U>not</U> use the <B>query</B> sub-command at <b><i>routername</i>(ca-identity)#</B> prompt to configure the router.
</P>
<LI><P>At the <B><i>routername</i>(ca-identity)#</B> prompt, type <B>enrollment url http://<I>URLHostName</I>/certsrv/mscep/mscep.dll</B> where <I>URLHostName</I> is the name of the server which hosts the CA's enrollment Web pages (also referred to as Certificate Services Web pages).</P></LI>
<LI><P>If you do not want the router to check the CA's certificate revocation list (CRL), at the <b><i>routername</i>(ca-identity)#</B> prompt, type <B>crl optional</B>.</P></LI>
<LI><P>At the <b><i>routername</i>(ca-identity)#</B> prompt, type <B>exit</B>.</P></LI>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>exit</B>.</P></LI>
<LI><P>At the <b><i>routername</i>#</B> prompt, type <B>write memory</B>.</P></LI>
<LI><P>To confirm that your changes have taken place, at the <b><i>routername</i>#</B> prompt, type <B>write terminal</B>. The router will display its configuration information. No certificates will appear in the displayed information and you will see the enrollment URL you entered.</P></LI>
</OL>
<H3>Request the CA's certificate</H3>
<OL>
<LI><P>At the <b><i>routername</i>#</B> prompt, type <B>config t</B>.</P></LI>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>crypt ca authenticate <I>NewCAIdentityName</I></B>.</P></LI>
<LI><P>Attributes of CA certificate will be displayed, including the fingerprint of the CA certificate. The &quot;fingerprint&quot; is a series of alphanumeric characters unique to that CA certificate.</P>
<P>You can confirm that the fingerprint of the CA certificate being presented to the router matches the fingerprint of the authentic CA certificate by connecting to the URL: <B>http://<I>URLHostName</I>/certsrv/mscep/mscep.dll</B> in Internet Explorer. Verify that the fingerprint displayed at this URL matches the fingerprint of the certificate being presented to the router.</P>
<P>Type <B>Y</B> to accept the CA certificate. </P></LI>
<LI><P>To confirm that you received the CA certificate, at the <b><i>routername</i>(config)#</B> prompt, type <B>exit</B>.</P></LI>
<LI><P>At the <b><i>routername</i>#</B> prompt, type <B>show crypt ca certificate</B>. The CA certificate will be displayed on the screen.</P></LI>
</OL>
<H3>Generate a public and private key pair</H3>
<OL>
<LI><P>At the <b><i>routername</i>#</B> prompt, type <B>config t</B>.</P></LI>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>crypt key gen rsa</B>.</P></LI>
<LI><P>When you are asked if you want to replace your current keys, type <B>Y</B>.</P></LI>
<LI><P>Enter the number of bits in the modulus (key size). The default is 512.</P></LI>
</OL>
<H3>Enroll for certificates.</H3>
<OL>
<LI><P>At the <b><i>routername</i>(config)#</B> prompt, type <B>crypt ca enroll</B> <I>NewCAIdentityName</I>.</P></LI>
<LI><P>You are asked to input a password.</P>
<P>Using Internet Explorer, retrieve a valid challenge password by connecting to the URL: <B>http://<I>URLHostName</I>/certsrv/mscep/mscep.dll</B>.</P>
<P>Some notes about this password:</P>
<UL>
<LI><P>Every time you connect to this URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can only be used once.</P></LI>
<LI><P>The password displayed is both the challenge password for certificate enrollment and the password for certificate revocation. Remember this password so that in case you need to revoke the certificate, you can provide it to the CA administrator.</P></LI>
<LI><P>If you connect to the URL above and do not see a challenge password displayed, then the SCEP Add-on was not setup to require a challenge password. In this case, you can make up a password of your own choosing. This password will be used for certificate revocation only.</P></LI>
<LI><P>If you are requesting a certificate from an enterprise CA, you must have the right to enroll for certificates based on the <B>IPSecIntermediateOffline</B> certificate template in order to access the URL above. By default, a member of the Enterprise Administrators group or the root Domain Administrators group will have the right to enroll for certificates based on the <B>IPSecIntermediateOffline</B> certificate template.</P>
<P>See the procedure entitled <B>Set security permissions and delegate control of certificate templates</B> in Windows 2000 Server online help for the procedure to change enrollment permissions for certificate templates.</P></LI>
<LI><P>By default anyone can view the Web page at the URL above if it is on a stand-alone CA.</P></LI>
</UL>
</LI>
<LI><P>Type <B>Y</B> to include the router serial number in the subject name.</P></LI>
<LI><P> Type <B>Y</B> to include the IP address in the subject name. </P></LI>
<LI><P> Type <B>Y</B> to request the certificate from the CA. The certificate request fingerprint will be displayed and the certificate will be received from the CA.</P></LI>
<LI><P> Type <B>exit</B> to leave config mode.</P></LI>
<LI><P>At the <B><i>routername</i>#</B> prompt, type <B>show crypt ca certificate</B> to verify that you have certificate(s) for the router. The certificate(s) issued to the router, as well as the CA certificate, will be displayed on the screen.</P></LI>
</OL>
<H3>Notes</H3>
<UL>
<LI><P>You should use Internet Explorer on a Windows 2000-based computer when performing procedural steps that require you to connect to the URL: <B>http://<I>URLHostName</I>/certsrv/mscep/mscep.dll</B>.
</P></LI>
<LI><P>If Internet Explorer is configured to use a proxy server, make sure that the <B>Bypass proxy server for local addresses</B> check box is selected in the <B>Tools</B>, <B>Internet Options</B>, <B>Connections</B>, <B>LAN Settings</B> dialog box in Internet Explorer.</P></LI>
<LI><P>The router cannot process certificates whose issuer or subject has non-alphanumeric characters (*, :, ;, ', &quot;, etc.)
</P></LI>
<LI><P>Some helpful procedures in Windows 2000 Server online documentation:</P>
<UL>
<LI>
<P>To issue or deny a pending certificate request on a stand-alone CA, see <B>Review pending certificate requests</B> in Windows Server help.</P></LI>
<LI>
<P>To revoke a certificate and publish a CRL, see <B>Revoke an issued certificate</B> and <B>Manually publish the certificate revocation list</B> in Windows Server help.</P>
</LI>
<LI><P>If you are issuing certificates to routers from a CA, you may want to view all issued certificates with the <B>unstructured Name</B>, <B>unstructured Address</B>, and <B>serialNumber</B> columns. To add these columns to the MMC view, see <B>Customize the display of columns in Certification Authority</B> in Windows Server help for general instructions to add columns to the Certification Authority snap-in display.</p></LI>
</UL>
</LI>
</UL>
<SCRIPT LANGUAGE="JavaScript" SRC="../scripts/defs.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="../scripts/popups.js"></SCRIPT>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink