HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

The ipsec_config utility can load a certificate from a local file. The ipsec_config

utility can also retrieve the certificate from an LDAP directory.

◦ Certificate Revocation Lists: The CA must provide X.509 Version 1 or X.509 Version 2

Certificate Revocation Lists (CRLs).

Implementations that meet these requirements include:

• OpenSSL

• Microsoft Windows 2003 Certification Authority

Multiple Level CA Requirements

If you are using a multiple-level CA structure, or chained CAs, you must have a certificate for each

CA in the authentication chain to the peer, and a CRL for each CA. In other words, you must have

a certificate and CRL for each of the following CAs:

• the root CA

• each CA in the authentication chain from the local system to the root CA

• each CA in the authentication chain from the peer system to the root CA

Each certificate and CRL must be contained in a separate certificate file or directory object; HP-UX

cannot store multiple certificates or CRLs from a single file or directory object.

LDAP Requirements

The local system certificate must be stored in a userCertificate;binary attribute.

A CA certificate must be stored in cACertificate;binary attribute.

A CRL must be stored in a certificateRevocationList;binary attribute. Some vendors

publish the CRL as a certificateRevocationList;binary attribute of a

certificationAuthority object. Other vendors publish the CRL as a

certificateRevocationList;binary attribute of a cRLDistributionPoint object.

Configuring Certificates

Use the following procedure to configure certificates for HP-UX IPSec. You must also complete the

configuration tasks for the main product components, as described in Chapter 4: “Configuring

HP-UX IPSec” (page 57).

You create one certificate for each HP-UX IPSec system using RSA signatures for IKE authentication.

If the local system is multihomed (has multiple IP addresses), you create one certificate for the

system.

1. If you are not using a CA or PKI utility to create the local system certificate, use the

ipsec_config add csr command to create a Certificate Signing Request (CSR) for the

local system. This task is described in “Step 1: (Optional) Getting a Certificate for the Local

System” (page 103). You must also submit the Certificate Signing Request to the CA.

2. Use the ipsec_config add mycert command to add the local system certificate to the

HP-UX IPSec storage scheme. This task is described in “Step 2: Adding the Local Certificate”

(page 105).

3. Use the ipsec_config add cacert command to add CA certificates to the HP-UX IPSec

storage scheme. This task is described in “Step 3: Adding the CA Certificates” (page 107).

4. Use the ipsec_config add crl command to add a CRL to the HP-UX IPSec storage

scheme. This task is described in “Step 4: Adding the CRL” (page 109).

5. If the CA distributes the CRL to an LDAP directory, you can also modify the root user’s crontab

file to retrieve the CRL from the LDAP directory. This task is described in “Step 5: Retrieving

the CRL Using cron” (page 111).

102 Using Certificates with HP-UX IPSec