Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
5 Using Certificates with HP-UX IPSec
This chapter describes how to use security certificates with HP-UX IPSec. It contains the following
sections:
“Overview” (page 100)
“PKI Requirements” (page 101)
“LDAP Requirements” (page 102)
“Configuring Certificates” (page 102)
“Step 1: (Optional) Getting a Certificate for the Local System” (page 103)
“Step 2: Adding the Local Certificate” (page 105)
“Step 3: Adding the CA Certificates” (page 107)
“Step 4: Adding the CRL” (page 109)
“Step 5: Retrieving the CRL Using cron” (page 111)
“Configuration Example” (page 111)
“Managing Certificate Data” (page 112)
Overview
You must use security certificates if you are using digital signatures (RSA signatures) for IKE
authentication. HP-UX IPSec uses the certificates to obtain cryptography keys for digital signatures
and to verify the digital signatures. If you are not using digital signatures for IKE authentication,
you can skip this chapter.
Security Certificates and Public Key Cryptography
Security certificates are used for public key cryptography , also referred to as asymmetric key
cryptography. Public key cryptography uses a pair of related, but different keys. One key, the
private key , is associated with a specific system or entity and is kept secret; the other key is the
public key and can be distributed freely. The public and private keys are mathematically related
so that data encrypted with the public key can only be decrypted with the private key.
Public Key Distribution
With asymmetric key cryptography, the public key can be freely distributed over a non-secure
communication channel.
However, there must be some assurance that a particular public key is the actual public key of the
entity with which you want to communicate. This is usually done by distributing public keys in the
form of public-key certificates, commonly referred to as security certificates.
Security Certificates
A security certificate associates (or binds) a public key with a particular person, device, or other
entity. The certificate is issued by an entity, in whom users have put their trust, called a certificate
authority (CA) that guarantees or confirms the identity of the holder (person, device, or other entity)
of the corresponding private key. The CA digitally signs the certificate with the CA’s private key,
so the certificate can be verified using the CA’s public key.
The format for security certificates (public-key certificates) is defined by the International Organization
for Standardization (ISO) X.509 standard, Version 3.
Certificates are issued with a specific lifetime, defined by a start date/time and an expiration
date/time. However, situations can arise, such as a compromised key value, that necessitate the
revocation of the certificate. In this case, the certificate authority can revoke the certificate. This is
100 Using Certificates with HP-UX IPSec