HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

111

112

113

114

115

116

117

118

119

120

Step 1: (Optional) Getting a Certificate for the Local System

There are two methods you can use to obtain a certificate for the local system:

• Use the ipsec_config add csr command to create a Certificate Signing Request (CSR)

for the local system. The ipsec_config utility generates a public/private key pair and

unsigned certificate for the local system.

To use this method, the CA must accept CSRs in PKCS#10 format.

• Use a utility provided by the PKI or CA to create a public/private key pair and certificate

and for the local system.

To use this method, the CA must provide a PKCS#12 file that contains the system certificate

and the corresponding private key.

One advantage of using the ipsec_config add csr command to create a CSR is that the

private key is generated on the local system and remains on the system; the private key is never

exposed to another system.

Using the ipsec_config add csr Command

The ipsec_config add csr command performs the following tasks:

• Generates a public/private key pair for the local system. It stores the private key in the file

/var/adm/ipsec/certstore/mykey.pem and makes this file accessible only to users

with superuser capabilities.

• Creates a PKCS#10 Certificate Signing Request, PEM formatted, and stores it in the file

/var/adm/ipsec/ipsec.csr.

ipsec_config add csr Syntax

The add csr functionality is not supported in ipsec_config batch files. Use the following

ipsec_config add csr syntax to create a certificate request :

ipsec_config add csr -subject subject_name

[-alt-ipv4 ipv4_addr][-alt-fqdn fqdn]

[-alt-user-fqdn user_fqdn]

[-key_length number_bits] [-days number_days]

TIP: If the peer is an HP-UX system, use the following syntax to create a certificate with the

local IP address as the subjectAlternativeName. This simplifies the configuration for the

authentication records because the IKE daemon uses IP addresses for IKE IDs by default.

ipsec_config add csr -subject subject_name

-alt-ipv4 ipv4_addr

-subject subject_name

The value you want in the subjectName field for the certificate in X.500 Distinguished Name

(DN) format. HP-UX IPSec supports the following attributes:

CN=commonName

C=country

O=organization

OU=organizationalUnit

The attributes are all optional, but you must specify at least one. Separate multiple attributes

using commas. The order of the attributes is ignored and the DN is not case sensitive.

If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example,

“CN=host1,C=US,O=My Company,OU=Blue Lab”.

The values are defined as follows:

118 Using Certificates with HP-UX IPSec