Manualshelf

HP-UX IPSec A.03.00.01 Release Notes (HP-UX 11i Version 3)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
Public Key Infrastructure requirements
To use security certificates with HP-UX IPSec, your topology must meet the following requirements:
All security certificates must be administered using a PKI product from the same vendor. When
you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate
operations.
The PKI must support the following certificate file formats and access methods:
Certificate Signing Requests: If you use the ipsec_config utility to create a key pair
and Certificate Signing Request (CSR) that you will submit to the CA, the CA must support
CSRs in Public Key Cryptography Standards #10 format (PKCS#10), and encoded using
Privacy-Enhanced Mail (PEM) base64 encoding. This CSR format is typically used for
copy and paste certificate requests.
If you are using a CA or PKI utility to create the key pair and CSR, the CA must provide
the certificate for the local system and the private key in a PKCS#12 encoded file.
Certificates: The CA must provide X.509 Version 3 certificates encoded using one of the
following formats:
Privacy-Enhanced Mail base64 (PEM)
Distinguished Encoding Rules (DER)
PKCS#12 (valid only for the local system certificate; not valid for CA certificates)
The ipsec_config utility can load a certificate from a local file. The ipsec_config
utility can also retrieve the certificate from an LDAP directory.
Certificate Revocation Lists: The CA must provide X.509 Version 1 or X.509 Version 2
Certificate Revocation Lists (CRLs).
Implementations that meet these requirements include:
OpenSSL
Microsoft Windows 2003 Certification Authority
Multiple-level CA requirements
If you are using a multiple-level CA structure, or chained CAs, you must have a certificate for each
CA in the authentication chain to the peer, and a CRL for each CA. In other words, you must have
a certificate and CRL for each of the following CAs:
the root CA
each CA in the authentication chain from the local system to the root CA
each CA in the authentication chain from the peer system to the root CA
Each certificate and CRL must be contained in a separate certificate file or directory object; HP-UX
cannot store multiple certificates or CRLs from a single file or directory object.
Public Key Infrastructure requirements 17