HP-UX IPSec A.03.00 Release Notes

192.6.1.1 myhost

127.0.0.1 localhost loopback

• OpenSSL CA Does Not Copy Extension Fields

By default, an OpenSSL Certificate Authority (CA) does not copy extension fields from

Certificate Signing Requests (CSRs) to the signed certificate. To use OpenSSL certificates

with HP-UX IPSec, you must configure the OpenSSL CA to copy the extension fields.

Workaround: One way to force the OpenSSL CA to copy the extension fields is by

uncommenting the following entry in the OpenSSL configuration file:

copy_extensions = copy

• ipsec_config Requires Subject for Certificate Signing Requests

The X.509 version 3 specification does not require the subject field in a certificate if the

subjectAlternativeName field is present. However, because of requirements in library routines

used by HP-UX IPSec, the ipsec_config add csr command always requires the user

to configure information for the subject field.

• Distinguished Names with Multiple Organizational Unit Attributes Not Supported for

Remote Authentication

If you are using certificate-based IKE authentication and the remote system's certificate has

a Distinguished Name (DN) field with multiple Organizational Unit (OU) attributes, the

remote ID field of the authentication record must not contain an OU attribute. For example,

if the remote system's certificate contains the DN

CN=MyHost,C=US,O=HP,OU=West,OU=Blue, the remote ID cannot include any OU

attributes. The remote ID can include other attributes from the DN (-rid

CN=MyHost,C=US,O=HP), if doing so provides sufficient information to identify the remote

system. Alternatively, you can authenticate the identity of the remote system using another

ID type, such as IPv4 address (IPV4).