HP-UX IPSec version A.02.01 Administrator's Guide

Using Certificates with HP-UX IPSec

Configuring Certificates

Chapter 5 157

Configuring Certificates

Use the following procedure to configure certificates for HP-UX IPSec.

You must also complete the configuration tasks for the main product

components, as described in Chapter 4, “Configuring HP-UX IPSec,” on

page 89.

You create one certificate for each HP-UX IPSec system using RSA

signatures for IKE authentication. If the local system is multihomed (has

multiple IP addresses), you create one certificate for the system.

Step 1. Use the ipsec_config add csr command to create a Certificate

Signing Request (CSR) for the local system. This task is described in

“Step 1: Creating a Certificate Signing Request” on page 158.

Step 2. Submit the Certificate Signing Request to the CA.This task is described

in “Step 2: Submitting the Certificate Signing Request to the CA” on

page 161.

Step 3. Retrieve the certificate for local system and the certificate for the CA.

Use the ipsec_config add cert command to extract the certificates

and add them to the HP-UX IPSec storage scheme. This task is described

in “Step 3: Adding the Certificates” on page 162.

Step 4. Use the ipsec_config add auth command to configure authentication

records with IKE IDs for the local and remote system as needed. This

task is described in “Step 4: Configuring Authentication Records with

IKE IDs” on page 163.

Step 5. Use the ipsec_config add crl command to add a CRL to the HP-UX

IPSec storage scheme. This task is described in “Step 5: Adding the CRL

to HP-UX IPSec” on page 171.

Step 6. If the CA distributes the CRL to an LDAP directory, you can also modify

the root user’s crontab file to retrieve the CRL from the LDAP directory.

This task is described in “Step 6: Retrieving the CRL Using cron” on

page 174.