Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX Identity Management Integration Software
12345678
4
3. Transfer the CRL to the IPsec hosts or store the CRL in an LDAP directory as described in
“(Optional) Adding the CA Certificate and CRL to an LDAP Directory.”
Note: To revoke an OpenSSL certificate, use the command openssl –ca revoke cert_file.
Refer to the ca(1) manpage for more information.
(Optional) Adding the CA Certificate and CRL to an LDAP
Directory
You can add the CA certificate and CRL to an LDAP directory and use ipsec_config to retrieve
them from the LDAP directory. Alternatively, you can manually transfer the CA certificate and CRL files
to the HP-UX IPSec system and use ipsec_config to read these objects from the transferred files.
You can use the ldapmodify utility with an LDIF file to load the CA certificate and CRL into the LDAP
directory. Load the CA certificate and CRL as items in a certificationAuthority object. Specify
the ldapmodify –b option for binary data and specify the absolute path to the certificate and CRL
files in the LDIF file. Specify the -a option the first time you load the certificate and CRL. For example:
ldapmodify -a –b -v –w - -W -D “cn=admin,ou=lab,o=example,c=us” \
-f crl.ldif
The crl.ldif file to contain the following entries:
version: 1
dn: ou=lab,o=example,c=us
cn: pki-ca
description: Certificate Authority certificate and revocation list
cACertificate;binary: /opt/openssl/CA/cacert.der
certificateRevocationList;binary: /opt/openssl/CA/crl/crl.der
authorityRevocationList;binary:
objectClass: certificationAuthority
objectCLass: applicationProcess
Creating Host Certificates
This section describes how to create certificates for the HP-UX IPSec hosts. There are two methods to
do this:
Using the ipsec_config add csr command to create the certificate request and certificate keys
on the HP-UX IPSec system.
Using the openssl req command with the –newkey option to create the certificate request and
key pair on the OpenSSL system. You must then create a PKCS#12 file on the OpenSSL system with
the certificate and keys and transfer the file to the HP-UX IPSec system.
The section describes how to create certificates using the the ipsec_config add csr command to
create the certificate request and certificate keys. For information about using the openssl req
command to create the certificate request and key pair, refer to the OpenSSL documentation.
1. On each HP-UX IPSec host, use the ipsec_config add csr command to create a Certificate
Signing Request (CSR).
The syntax for the ipsec_config add csr command is as follows:
ipsec_config add csr -subj[ect_name] subject_name
[-alt-ipv4 ipv4_addr]
[-alt-fqdn fqdn] [-alt-user-fqdn user_fqdn]
[-days number_days] [-key-length|klen number_bits]