HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Step 3: Adding the CA Certificates

Use the ipsec_config add cacert command to add CA certificates to the HP-UX IPSec

storage scheme.

There are two syntax formats for the ipsec_config add cacert command:

• ipsec_config add cacert -file

The ipsec_config add cacert -file syntax extracts a CA certificate from a file. The

file can be in PEM or DER format. See “ipsec_config add cacert -file Syntax”

(page 124).

• ipsec_config add cacert -ldap

The ipsec_config add cacert -ldap syntax retrieves the certificate from an LDAP

database. See “ipsec_config add cacert -ldap Syntax” (page 124).

The ipsec_config add cacert command stores the CA certificates in the /var/adm/ipsec/

certstore directory. For more information, see “Certificate Storage” (page 129).

The ipsec_config add cacert functionality is not supported in ipsec_config batch files.

Multiple Level CAs

If you are using multiple-level CAs, you must use the ipsec_config add cacert command

to add a certificate for each CA in the authentication chain to the peer as described in “Multiple

Level CA Requirements” (page 115).

Each CA certificate must be contained in a separate file or directory object; HP-UX cannot store

multiple certificates enclosed in a single file or directory object.

ipsec_config add cacert -file Syntax

Use the following ipsec_config add cacert syntax to add a CA certificate to the HP-UX

IPSec storage scheme:

ipsec_config add cacert -file cacert_filename

-file cacert_filename

The name of the DER or PEM file containing the certificate for the CA. If the file is password

protected, ipsec_config prompts you for the password.

Default: None.

Examples

The following command extracts a CA certificate from the file /tmp/cacert.pem:

ipsec_config add cacert -file /tmp/cacert.pem

The following example retrieves three CA certificates for a multiple-level CA structure. The local

system uses a certificate from the CA WestCA. The peer uses a certificate from the CA EastCA.

WestCA and EastCA are child CAs below the CA RootCA.

ipsec_config add cacert -file /tmp/WestCAcert.pem

ipsec_config add cacert -file /tmp/EastCAcert.pem

ipsec_config add cacert -file /tmp/RootCAcert.pem

ipsec_config add cacert -ldap Syntax

Use the following ipsec_config add cacert syntax to retrieve a CA certificate from an

LDAP directory and add the certificate to the HP-UX IPSec storage scheme:

ipsec_config add cacert -ldap server [-port port_number]

-base search_base [-filter search_filter] [-user user [-password password]]

124 Using Certificates with HP-UX IPSec