HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Step 4: Adding the CRL

Use the ipsec_config add crl command to add a CRL to the HP-UX IPSec storage scheme.

There are two syntax formats for the ipsec_config add crl command:

• ipsec_config add crl -file

The ipsec_config crl -file syntax extracts a CA certificate from a file. The file can

be in PEM or DER format. See “ipsec_config add crl -file Syntax” (page 126).

• ipsec_config add crl -ldap

The ipsec_config add crl -ldap syntax retrieves the certificate from an LDAP

database. See “ipsec_config add crl -ldap Syntax” (page 126).

The ipsec_config add crl command stores the CRLs certificates in the /var/adm/ipsec/

certstore directory. For more information, see “Certificate Storage” (page 129).

The add crl functionality is not supported in ipsec_config batch files.

Multiple Level CAs

If you are using multiple-level CAs, you must use the ipsec_config add crl command to

add a CRL for each CA in the authentication chain to the peer, as described in “Multiple Level

CA Requirements” (page 115).

Each CRL must be contained in a separate file or directory object.

ipsec_config add crl -file Syntax

The add crl functionality is not supported in ipsec_config batch files. Use the following

ipsec_config add crl syntax to add a CRL from a local file to the HP-UX IPSec storage

scheme :

ipsec_config add crl -file crl_filename

-file crl_filename

Name of the local file containing the CRL.

Default: None.

Example

The following command adds /tmp/crl.der , the CRL file in DER format received from the

CA, to the /var/adm/ipsec/certstore directory.

ipsec_config add crl -file /tmp/crl.der

ipsec_config add crl -ldap Syntax

Use the following ipsec_config add crl syntax to add a CRL from an LDAP directory to

the HP-UX IPSec storage scheme:

ipsec_config add crl -ldap server [-port port_number]

-base search_base [-filter search_filter][-user user [-password password]]

-ldap server

The hostname or address of the LDAP server where the CRL is stored.

Default: None.

-port port_number

TCP port number for the LDAP server.

Range: 1 - 65535.

126 Using Certificates with HP-UX IPSec