HP-UX IPSec Version A.03.00 Administrator's Guide

Configuring Certificates

Use the following procedure to configure certificates for HP-UX IPSec. You must also complete

the configuration tasks for the main product components, as described in Chapter 4: “Configuring

HP-UX IPSec” (page 65).

You create one certificate for each HP-UX IPSec system using RSA signatures for IKE

authentication. If the local system is multihomed (has multiple IP addresses), you create one

certificate for the system.

1. If you are not using a CA or PKI utility to create the local system certificate, use the

ipsec_config add csr command to create a Certificate Signing Request (CSR) for the

local system. This task is described in “Step 1: (Optional) Getting a Certificate for the Local

System” (page 118). You must also submit the Certificate Signing Request to the CA.

2. Use the ipsec_config add mycert command to add the local system certificate to the

HP-UX IPSec storage scheme. This task is described in “Step 2: Adding the Local Certificate”

(page 122).

3. Use the ipsec_config add cacert command to add CA certificates to the HP-UX IPSec

storage scheme. This task is described in “Step 3: Adding the CA Certificates” (page 124).

4. Use the ipsec_config add crl command to add a CRL to the HP-UX IPSec storage

scheme. This task is described in “Step 4: Adding the CRL” (page 126).

5. If the CA distributes the CRL to an LDAP directory, you can also modify the root user’s

crontab file to retrieve the CRL from the LDAP directory. This task is described in “Step

5: Retrieving the CRL Using cron” (page 128).

Configuring Certificates 117