Manualshelf

HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
141142143144145146147148149150
NOTE: HP recommends using the self-signed certificates included with the HP-UX
AAA Server to simulate your certificate administration before deploying your own
personal certificates in a production environment.
The HP-UX AAA Server has the following digital certificate requirements:
all certificate files stored on the HP-UX AAA Server must be in .pem or .cer
format
the servers certificate must be generated with a key file that is not encrypted with
a pass-phrase
For TLS only, the Common Name (CN) on the client certificate will be used to as
the user name and therefore must be less than 128 characters ASCII characters and
cannot include the < > ( ) [ ] \ / . , ; : or space characters.
NOTE: Refer to the supplicant documentation to determine each supplicant’s specific
certificate requirements. For example, some supplicants require the client and server
certificate to have the Enhanced Key Usage (EKU) field. For the client certificate, the
Enhanced Key Usage (EKU) field must contain the Client Authentication certificate
purpose (OID "1.3.6.1.5.5.7.3.2"); and, for the server certificate, the EKU field must
contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").
Installing Server Certificates and Keys
Copy the server certificate and key file to the HP-UX AAA Server in the /etc/opt/
aaa/security/directory.
If you are using TLS, copy the client CA certificate to the /etc/opt/aaa/
security/directory. You can combine multiple CA files into one file.
For TLS users whose certificates have been revoked, copy or append their
certificates to the Certificate Revocation List (CRL) file.
Installing Client Certificates and Keys
1. Copy the server CA certificate to the client.
2. Copy the client certificate to the client (for TLS only).
3. Use your supplicant’s utility to install and configure the certificates.
Defining Certificate Locations on the HP-UX AAA Server
The HP-UX AAA Server uses its self-signed certificates by default. If you want to use
your own certificates, you must define where the required certificates reside on the
AAA server. Following steps illustrate how to define certificate locations:
1. In the navigation tree, click Server Properties in the navigation tree.
2. Click Certificate Properties.
The Certificate Properties pane opens as shown in Figure 13-2.
Digital Certificate Administration 149