HP-UX IPSec version A.02.00 Administrator's Guide
Using Certificates with HP-UX IPSec
Using VeriSign Certificates
Chapter 4118
Using VeriSign Certificates
Overview
There are three main components in the VeriSign Managed PKI
architecture.
• A VeriSign Managed PKI Certificate Authority (CA), which is located
at a VeriSign data center and administered by VeriSign. The
Managed PKI CA creates and manages certificates and Certificate
Revocation Lists (CRLs). The VeriSign Managed PKI CA is accessed
through the VeriSign Managed PKI Control Center website.
• A local Managed PKI Administrator, a person located at your site
who uses the VeriSign Managed PKI Control Center website to
approve client certificate requests and can ask the Managed PKI CA
to revoke a client's certificate.
• Clients located at your site who request, get and use certificates. For
HP-UX IPSec, a client is a system that uses a certificate-based
primary authentication method for IKE, such as RSA signatures.
Each system must request and get a certificate before starting the
HP-UX IPSec subsystem that uses certificate-based authentication.
To perform this task, use the ipsec_mgr program to request and
receive certificates from the Managed PKI CA. The ipsec_mgr
program will send the requests to the Managed PKI CA through the
Managed PKI Control Center website.
The general data flow between these components is listed below and
shown in Figure 4-1.
1. The IPSec administrator requests a VeriSign certificate using the
ipsec_mgr program. The ipsec_mgr program sends a certificate
request on behalf of HP-UX IPSec to the Managed PKI CA via the
Managed PKI Control Center website.
2. The Managed PKI CA sends a Notify for Request message to the
local Managed PKI Administrator at the customer site. This message
notifies the Managed PKI Administrator that the client (the HP-UX
IPSec system) is requesting a certificate. The Notify for Request
message is typically sent using a secure email message.