Requesting a certificate from a Windows Server 2003 CA server

Network requirements

Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server.

Figure 84: Network diagram

Configuring the Windows Server 2003 CA server

  1. Install the certificate service component:

    1. Select Control Panel > Add or Remove Programs from the start menu.

    2. Select Add/Remove Windows Components > Certificate Services.

    3. Click Next to begin the installation.

    4. Set the CA name. In this example, set the CA name to myca.

  2. Install the SCEP add-on:

    By default, Windows Server 2003 does not support SCEP. You must install the SCEP add-on on the server for a PKI entity to register and obtain a certificate from the server. After the SCEP add-on installation is complete, you will see a URL. Specify this URL as the certificate request URL on the device.

  3. Modify the certificate service attributes:

    1. Select Control Panel > Administrative Tools > Certificate Authority from the start menu.

      If the certificate service component and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

    2. Right-click the CA server in the navigation tree and select Properties > Policy Module.

    3. Click Properties, and then select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.

  4. Modify the Internet information services attributes:

    1. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu.

    2. Select Web Sites from the navigation tree.

    3. Right-click Default Web Site and select Properties > Home Directory.

    4. Specify the path for certificate service in the Local path box.

    5. Specify a unique TCP port number for the default website to avoid conflict with existing services. In this example, port 8080 is used.

Configuring the device

  1. Synchronize the device's system time with the CA server for the device to correctly request certificates. (Details not shown.)

  2. Create an entity named aaa and set the common name to test.

    <Device> system-view
    [Device] pki entity aaa
    [Device-pki-entity-aaa] common-name test
    [Device-pki-entity-aaa] quit
    
  3. Configure a PKI domain:

    # Create a PKI domain named winserver and enter its view.

    [Device] pki domain winserver
    

    # Set the name of the trusted CA to myca.

    [Device-pki-domain-winserver] ca identifier myca
    

    # Configure the certificate request URL. The URL format is http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server.

    [Device-pki-domain-winserver] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll
    

    # Configure the device to send certificate requests to ra.

    [Device-pki-domain-winserver] certificate request from ra
    

    # Set the PKI entity name to aaa.

    [Device-pki-domain-winserver] certificate request entity aaa
    

    # Configure a general-purpose RSA key pair named abc with a length of 1024 bits.

    [Device-pki-domain-winserver] public-key rsa general name abc length 1024
    [Device-pki-domain-winserver] quit
    
  4. Generate the RSA local key pair.

    [Device] public-key local create rsa name abc
    The range of public key modulus is (512 ~ 2048).
    If the key modulus is greater than 512,it will take a few minutes.
    Press CTRL+C to abort.
    Input the modulus length [default = 1024]:
    Generating Keys...
    ..........................++++++
    .....................................++++++
    Create the key pair successfully.
    
  5. Request a local certificate:

    # Obtain the CA certificate and save it locally.

    [Device] pki retrieve-certificate domain winserver ca
    The trusted CA's finger print is:
        MD5  fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB
        SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4
    Is the finger print correct?(Y/N):y
    Retrieved the certificates successfully.
    

    # Submit a certificate request manually.

    [Device] pki request-certificate domain winserver
    Start to request the general certificate ...
    …
    Request certificate of domain winserver successfully
    

Verifying the configuration

# Display information about the local certificate in PKI domain winserver.

[Device] display pki certificate domain winserver local
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
             (Negative)01:03:99:ff:ff:ff:ff:fd:11
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=sec
        Validity
            Not Before: Dec 24 07:09:42 2012 GMT
            Not After : Dec 24 07:19:42 2013 GMT
        Subject: CN=test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a:
                    55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac:
                    dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb:
                    d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27:
                    a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94:
                    f0:56:a5:2b:87:ac:80:c5:cc:04:07:65:02:39:fc:
                    db:61:f7:07:c6:65:4c:e4:5c:57:30:35:b4:2e:ed:
                    9c:ca:0b:c1:5e:8d:2e:91:89:2f:11:e3:1e:12:8a:
                    f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42:
                    51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9:
                    ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4:
                    b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0:
                    c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b:
                    d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57:
                    f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1:
                    2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb:
                    68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e:
                    25:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encip
herment
            X509v3 Subject Key Identifier:
                C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34
            X509v3 Authority Key Identifier:
                keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9
B

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:file://\\g07904c\CertEnroll\sec.crl

            Authority Information Access:
                CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt
                CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt

            1.3.6.1.4.1.311.20.2:
                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e
    Signature Algorithm: sha1WithRSAEncryption
        76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d:
        6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5:
        36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2:
        14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e:
        29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec:
        cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99:
        31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc:
        0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb:
        46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:
        bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27:
        90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a:
        00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47:
        6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06:
        7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14:
        02:09:ad:08

To display detailed information about the CA certificate, use the display pki certificate domain command.