Manualshelf

HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
10111213141516171819
All security certificates must be administered using a PKI product from the same vendor.
When you configure HP-UX IPSec, you must configure only one PKI vendor for all security
certificate operations.
The PKI must support the following certificate file formats and access methods:
— Certificate Signing Requests: If you use the ipsec_config utility to create a key pair
and Certificate Signing Request (CSR) that you will submit to the CA, the CA must
support CSRs in Public Key Cryptography Standards #10 format (PKCS#10), and encoded
using Privacy-Enhanced Mail (PEM) base64 encoding. This CSR format is typically used
for “copy and paste” certificate requests.
If you are using a CA or PKI utility to create the key pair and CSR, the CA must provide
the certificate for the local system and the private key in a PKCS#12 encoded file.
— Certificates: The CA must provide X.509 Version 3 certificates encoded using one of
the following formats:
Privacy-Enhanced Mail base64 (PEM)
Distinguished Encoding Rules (DER)
PKCS#12 (valid only for the local system certificate; not valid for CA certificates)
The ipsec_config utility can load a certificate from a local file. The ipsec_config
utility can also retrieve the certificate from an LDAP directory.
— Certificate Revocation Lists: The CA must provide X.509 Version 1 or X.509 Version 2
Certificate Revocation Lists (CRLs).
Implementations that meet these requirements include:
OpenSSL
Microsoft Windows 2003 Certification Authority
Multiple Level CA Requirements
If you are using a multiple-level CA structure, or chained CAs, you must have a certificate for
each CA in the authentication chain to the peer, and a CRL for each CA. In other words, you
must have a certificate and CRL for each of the following CAs:
the root CA
each CA in the authentication chain from the local system to the root CA
each CA in the authentication chain from the peer system to the root CA
Each certificate and CRL must be contained in a separate certificate file or directory object; HP-UX
cannot store multiple certificates or CRLs from a single file or directory object.
16