HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Configuration Example

This example shows the sequence of commands used to configure certificates for HP-UX IPSec

on the system hostA. In addition, the administrator must complete the configuration tasks

described in Chapter 4: “Configuring HP-UX IPSec” (page 65), such as configuring IPsec polices,

authentication rules, and IKE policies.

1. Create a CSR. In this example, the peer is an HP-UX system. By default, HP-UX IPSec uses

the IP address in the certificate Subject DistinguishedName field for IKE IDs, so the

administrator creates a CSR for the local system with the local IP address in the certificate:

ipsec_config add csr -subject c=US,o=HP,cn=hostA \

-alt-ipv4 15.1.1.1

HP-UX IPSec creates a CSR in PKCS#10 format, PEM encoded, and stores it in /var/adm/

ipsec/ipsec.csr.

The administrator submits the contents of the /var/adm/ipsec/ipsec.csr file to the

CA. The submission method varies from vendor to vendor.

2. Receive a PEM file from the CA with a signed certificate for the local system (tmp/

hostA.pem). Add the certificate to the HP-UX storage scheme:

ipsec_config add mycert -file /tmp/hostA.pem

3. Receive a PEM file from the CA with a certificate for the CA (/tmp/cacert.pem ). Add

the certificate to the HP-UX storage scheme:

ipsec_config add cacert -file /tmp/cacert.pem

4. Create or receive a CRL from the CA. Add the CRL to the HP-UX storage scheme. In this

example, the CRL is stored on the LDAP server with address 10.40.40.40

ipsec_config add crl -ldap 10.40.40.40 \

-base C=US,O=HP -filter “CN=The Big CA”

5. Configure cron to automatically retrieve the CRL from the LDAP server by scheduling it

to execute /var/adm/ipsec/util/crl.cron for the root user.

Managing Certificate Data

This section contains information about certificate data storage and how to view and delete

certificate data.

Certificate Storage

HP-UX IPSec stores certificate data in the /var/adm/ipsec/certstore directory. The contents

of this directory are as follows:

• mycert.pem: certificate for the local system

• mykey.pem: private key for the local system certificate

• rootcert.pem: softlink to the certificate file for the root CA

• hash.0: CA certificate file, where hash is a hash value generated from the subject name

• hash.r0: CRL file where hash is a hash value generated from the issuer's name

The ipsec_config add csr command saves the CSR in the file /var/adm/ipsec/ipsec/

csr.

Viewing the Local System Certificate

To view the contents of the local system certificate, use the following command:

ipsec_config show mycert

For example:

Configuration Example 129