Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX Identity Management Integration Software
123456789
3
Initializing the OpenSSL CA
Use the following procedure to set up the OpenSSL CA. You only need to do this on the system that
will host the OpenSSL CA, and you only need to do this once.
1. On the OpenSSL CA system, modify the OpenSSL master configuration file to match your
installation.
The OpenSSL master configuration file name is typically /opt/openssl/openssl.cnf. Make
the following modifications to the master configuration file:
o Set the dir parameter and other file and directory locations to conform to your file
system layout and naming conventions. By default, the dir parameter in the
configuration file specifies the base for a set of subdirectories in which OpenSSL
stores objects.
o In the section [ policy_match ], configure the stateOrProvinceName and
emailAddress parameters as follows:
stateOrProvinceName = optional
emailAddress = optional
HP-UX IPSec does not support state names or mail addresses in the subject field of
certificates or CSRs. The above configuration enables the OpenSSL server to accept
CSRs without these attributes.
2. Initialize the environment for the CA.
Set the current working directory to the base directory for OpenSSL objects (the directory specified
for the dir variable in the master configuration file).
Enter the following HP-UX commands to initialize the environment for the CA. These commands
create the subdirectories needed for the CA, set the initial value for certificate serial numbers and
create an index file.
mkdir certs crl newcerts private
echo "01" > serial
touch index.txt
3. Create a self-signed certificate for the CA.
Enter the following openssl req command:
openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem \
-out cacert.pem -days 730
The openssl utility will prompt you for a PEM (Privacy Enhanced Mail) passphrase to protect the
private key. Make a note of this passphrase; OpenSSL will prompt you for it when you sign the
host certificates.
HP recommends that you verify that the private key file (private/cakey.pem) is readable only
by the root user. (If not, enter the appropriate chown root and chmod +400 commands).
4. Convert the CA’s certificate to DER format so it can be stored in the LDAP directory.
Skip this step if you are not using LDAP and are going to manually distribute the CRL file to each
HP-UX IPSec system.
Enter the following openssl x509 command:
openssl x509 –in cacert.pem –outform der \
–out cacert.der