为vManage生成自签名Web证书
简介
本文档介绍如何生成和安装自签名Web证书,当内部vManage上的现有证书过期时。
背景信息
思科不会为此类部署签署Web证书。客户必须通过自己的证书颁发机构(CA)或某个第三方CA进行签名。
问题
vManage Web证书即将过期或已过期。图形用户界面(GUI)的访问可能会丢失,或者您会在GUI中看到有关证书过期的永久警报。
解决方案
如果您不关心自签名证书使用的安全方面,只是希望避免警报消息和由于证书过期导致的vManage GUI访问可能存在的问题,则可以将此解决方案与vManage上的自签名Web证书配合使用。
1.在vManage GUI中,导航到管理>设置> Web服务器证书>证书,然后将此信息保存在证书主题的某个位置,例如主题:CN=vmanage、OU=Cisco SDWAN、O=Cisco Systems、L=San Jose、ST=CA、C=US。
2.在vManage GUI中,导航到管理>设置> Web服务器证书> CSR,然后选择生成以生成新的证书签名请求(CSR)。 确保输入在上一步捕获的Subject中的值。
3.将新生成的CSR复制到复制粘贴缓冲区,如图所示。
4.然后输入vshell,并使用echo命令将具有CSR的缓冲区内容粘贴到vManage上的文件中。
vmanage# vmanage# vshell vmanage:~$ mkdir web vmanage:~$ cd web vmanage:~/web$ echo "-----BEGIN NEW CERTIFICATE REQUEST----- > MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH > EwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIGA1UECxMLQ2lz > Y28gU0RXQU4xEDAOBgNVBAMTB3ZtYW5hZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB > DwAwggEKAoIBAQCRDdIKGUYuDwobn60PeDqfq96d+r5z66VQ8NBTBBhgwZgG57J7 > YIY9yNF5oSb+b1xUEXb61Wntq7qSHSzJhFDX0BaL4/c9llOQped3yDElCE0ly3oH > y88yg7TIZjnmz+j8Io92cRXnZLZ9YJwfs9PwEF0Z/4Gw5QIkukdAmLmkeKjOWD2A > 4pG2sV8Og+hnhUw8tJ1rKzQKsj2JJmD+ikeZbXu36iZvdKJB34iM2AsmsRbJhUFf > ujUU7O5E0z1nF2SBCJ+fpf7ze75dQRrBT0PA23QRobQEEg5wSMc+G//jD26zBCNg > IEyUAX0/0NQfOqtMmcBm7QJDESseOSufv4b9AgMBAAGgADANBgkqhkiG9w0BAQsF > AAOCAQEAK2BenHnfYuW1agdcYrZJD6+uGC6fNfI6qqmvv9XEPFFW0QfPhu8rESyY > K3qgf/ED+iCXEk/hudnf09vZ6gygM+P8a/zN3+J3VM5zCb6tn7vM0/cytcJONPtu > mnZGpDO+XjZDDLYmS6jlB+hO5gXeYyQ1t4Qv/s2H8jPhIWTraV376E+S9o318cva > 7D7yp3W+ce5ItHs9ObKWOaexVsypAV4USrDaVsfSbyU97G2rCXqmMgRLJdBwZofg > 04qsgrC8qG28aue1Q88XPa/HQtp0WB/Pxg7oe91s59Je/ETsMkR3vt7aglemyXAJ > nal67+T/QWgLSJB2pQuPHo51MbA55w== > -----END NEW CERTIFICATE REQUEST-----" > web_cert.csr
5.确保使用cat命令正确保存CSR。
vmanage:~/web$ cat web_cert.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH EwhTYW4gSm9zZTEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEUMBIGA1UECxMLQ2lz Y28gU0RXQU4xEDAOBgNVBAMTB3ZtYW5hZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCRDdIKGUYuDwobn60PeDqfq96d+r5z66VQ8NBTBBhgwZgG57J7 YIY9yNF5oSb+b1xUEXb61Wntq7qSHSzJhFDX0BaL4/c9llOQped3yDElCE0ly3oH y88yg7TIZjnmz+j8Io92cRXnZLZ9YJwfs9PwEF0Z/4Gw5QIkukdAmLmkeKjOWD2A 4pG2sV8Og+hnhUw8tJ1rKzQKsj2JJmD+ikeZbXu36iZvdKJB34iM2AsmsRbJhUFf ujUU7O5E0z1nF2SBCJ+fpf7ze75dQRrBT0PA23QRobQEEg5wSMc+G//jD26zBCNg IEyUAX0/0NQfOqtMmcBm7QJDESseOSufv4b9AgMBAAGgADANBgkqhkiG9w0BAQsF AAOCAQEAK2BenHnfYuW1agdcYrZJD6+uGC6fNfI6qqmvv9XEPFFW0QfPhu8rESyY K3qgf/ED+iCXEk/hudnf09vZ6gygM+P8a/zN3+J3VM5zCb6tn7vM0/cytcJONPtu mnZGpDO+XjZDDLYmS6jlB+hO5gXeYyQ1t4Qv/s2H8jPhIWTraV376E+S9o318cva 7D7yp3W+ce5ItHs9ObKWOaexVsypAV4USrDaVsfSbyU97G2rCXqmMgRLJdBwZofg 04qsgrC8qG28aue1Q88XPa/HQtp0WB/Pxg7oe91s59Je/ETsMkR3vt7aglemyXAJ nal67+T/QWgLSJB2pQuPHo51MbA55w== -----END NEW CERTIFICATE REQUEST----- vmanage:~/web$
6.在openssl的帮助下,为名为rootca.key的根证书生成密钥。
vmanage:~/web$ openssl genrsa -out rootca.key 2048 Generating RSA private key, 2048 bit long modulus .. .......... e is 65537 (0x10001) vmanage:~/web$ ls rootca.key web_cert.csr vmanage:~/web$
7.生成名为rootca.pem的根CA证书,并使用上一步生成的rootca.key对其进行签名。
vmanage:~/web$ openssl req -x509 -new -nodes -key rootca.key -sha256 -days 4000 -out rootca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco Systems Organizational Unit Name (eg, section) []:Cisco SDWAN Common Name (e.g. server FQDN or YOUR name) []:vmanage Email Address []: vmanage:~/web$ ls rootca.key rootca.pem web_cert.csr vmanage:~/web$
8.使用根CA证书和密钥签署CSR。
vmanage:~/web$ openssl x509 -req -in web_cert.csr -CA rootca.pem -CAkey rootca.key -CAcreateserial -out web_cert.crt -days 4000 -sha256 Signature ok subject=/C=US/ST=CA/L=San Jose/O=Cisco Systems/OU=Cisco SDWAN/CN=vmanage Getting CA Private Key vmanage:~/web$ ls rootca.key rootca.pem rootca.srl web_cert.crt web_cert.csr vmanage:~/web$
9.将新签名证书复制到复制粘贴缓冲区。您可以使用cat查看签名证书。
vmanage:~/web$ cat web_cert.crt -----BEGIN CERTIFICATE----- MIIDVjCCAj4CCQDXH8GlDhvL4DANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJV UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMRYwFAYDVQQKDA1DaXNj byBTeXN0ZW1zMRQwEgYDVQQLDAtDaXNjbyBTRFdBTjEQMA4GA1UEAwwHdm1hbmFn ZTAeFw0xOTEwMjIwODU0MzdaFw0zMDEwMDQwODU0MzdaMG0xCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxFjAUBgNVBAoTDUNpc2Nv IFN5c3RlbXMxFDASBgNVBAsTC0Npc2NvIFNEV0FOMRAwDgYDVQQDEwd2bWFuYWdl MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQ3SChlGLg8KG5+tD3g6 n6venfq+c+ulUPDQUwQYYMGYBueye2CGPcjReaEm/m9cVBF2+tVp7au6kh0syYRQ 19AWi+P3PZZTkKXnd8gxJQhNJct6B8vPMoO0yGY55s/o/CKPdnEV52S2fWCcH7PT 8BBdGf+BsOUCJLpHQJi5pHiozlg9gOKRtrFfDoPoZ4VMPLSdays0CrI9iSZg/opH mW17t+omb3SiQd+IjNgLJrEWyYVBX7o1FOzuRNM9ZxdkgQifn6X+83u+XUEawU9D wNt0EaG0BBIOcEjHPhv/4w9uswQjYCBMlAF9P9DUHzqrTJnAZu0CQxErHjkrn7+G /QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBZAIxV/GI/AP0aw54PA//+QMUs9t+b i6lhATUuTdyQwOuQSSfGjhWypDsqm3oh86GXmgoxIF1D/UmcOXHKVeK/MZrhZ/P9 USAAnPGyqOha/TqQvPbSMKALHj9cGc9389io2AAeDQqneEcDqie5uOs0M0vBth3V DXpq8mYgTjhqIUyab4txWZwXvQmZj+Hu2h2S4wj//us92KgE+XcljNeaky/GEZqZ jWNoWDgWeJdsm8hx2QteHHbDTahuArVJf1p45eLIcJR1k0lRL8TTroWaST1bZCJz 20aYK4S0K0nTkpscuVIrXHkwNN6Ka4q9/rVxnLzAflJ4E9DXojpD3qNH -----END CERTIFICATE-----
10.将证书导入vManage。为此,请导航到管理>设置> Web服务器证书>导入,然后粘贴复制粘贴缓冲区的内容,如图所示。
11.如果一切正常,vManage将显示Certificate Installed Successfully(已成功安装证书),如图所示。
12.最后,检查结果,确保证书有效日期更新成功,如图所示。
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
3.0 |
01-May-2026
|
更新的SEO和标题。 |
2.0 |
09-Sep-2024
|
添加了Alt文本。已更新标题、简介和格式。 |
1.0 |
24-Dec-2019
|
初始版本 |
反馈