HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

111

112

113

114

115

116

117

118

119

120

Using the “Self-Signed” Digital Certificates

The HP-UX AAA Server creates a unique set of “self-signed” digital certificates during installation

that are based on its DNS name. Server Manager uses these certificates by default. You can use

the self-signed certificates in production environments for TTLS and PEAP, and in testing environments

for TLS. The self-signed server certificates are in/etc/opt/aaa/security/.

The following is a list of the self-signed certificates located in /etc/opt/aaa/security/:

• rsa_cert.pem — AAA server certificate

• rsa_key.pem — AAA server key

• ca_list.pem — list of client CA certificates

• demouser.p12 — sample client certificate

• root.cer — CA for AAA server certificate

For TTLS and PEAP

If you are using TTLS or PEAP, the default certificates are safe to deploy in your production

environment. The AAA server is its own Certificate Authority. If you are managing multiple AAA

servers, you must have the same set of digital certificates on each server in your configuration.

Pick one of your AAA servers and copy the set of self-signed digital certificates to every AAA server

in the configuration. You should save each AAA server's original self-signed certificates for future

use.

Copy/etc/opt/aaa/security/root.cer to the CA storage on supplicants that enable server

certificate checking.

For TLS

If you are using TLS, use the default certificates to familiarize yourself with TLS certificate

administration before you deploy your own enterprise certificates.

1. Copy/etc/opt/aaa/security/root.cer to the CA storage on the supplicant.

2. Copy/etc/opt/aaa/security/demouser.p12 to user the certificate storage on the

supplicant:

• the pass phrase for demouser.p12 is: 1234

• the user name fordemouser.p12 is: demouser@eap.realm

3. Configure a TLS realm for eap.realm on the AAA server

Installing Your Own Digital Certificates and Keys

You can use your own certificates if your organization has a PKI and you don’t want to use the

self-signed certificates included with the HP-UX AAA Server. See the supplicant documentation to

determine each supplicant’s specific certificate requirements.

NOTE: HP recommends using the self-signed certificates included with the HP-UX AAA Server to

simulate your certificate administration before deploying your own personal certificates in a

production environment.

The HP-UX AAA Server has the following digital certificate requirements:

• all certificate files stored on the HP-UX AAA Server must be in .pem or .cer format

• the server’s certificate must be generated with a key file that is not encrypted with a pass-phrase

• For TLS only, the Common Name (CN) on the client certificate will be used to as the user name

and therefore must be less than 128 characters ASCII characters and cannot include the < >

( ) [ ] \ / . , ; : or space characters.

Digital Certificate Administration 117