HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Step 1: (Optional) Getting a Certificate for the Local System
There are two methods you can use to obtain a certificate for the local system:
• Use the ipsec_config add csr command to create a Certificate Signing Request (CSR)
for the local system. The ipsec_config utility generates a public/private key pair and
unsigned certificate for the local system.
To use this method, the CA must accept CSRs in PKCS#10 format.
• Use a utility provided by the PKI or CA to create a public/private key pair and certificate and
for the local system.
To use this method, the CA must provide a PKCS#12 file that contains the system certificate
and the corresponding private key.
One advantage of using the ipsec_config add csr command to create a CSR is that the
private key is generated on the local system and remains on the system; the private key is never
exposed to another system.
Using the ipsec_config add csr Command
The ipsec_config add csr command performs the following tasks:
• Generates a public/private key pair for the local system. It stores the private key in the file
/var/adm/ipsec/certstore/mykey.pem and makes this file accessible only to users
with superuser capabilities.
• Creates a PKCS#10 Certificate Signing Request, PEM formatted, and stores it in the file /var/
adm/ipsec/ipsec.csr.
ipsec_config add csr Syntax
The add csr functionality is not supported in ipsec_config batch files. Use the following
ipsec_config add csr syntax to create a certificate request :
ipsec_config add csr -subj[ect_name] subject_name
[-alt-ipv4 ipv4_addr1 [-alt-ipv4 ipv4_addr2 ... -alt-ipv4 ipv4_addr20 ]]
[-alt-fqdn fqdn1 [-alt-fqdn fqdn2 ... -alt-fqdn fqdn20]]
[-alt-user-fqdn user_fqdn1 [-alt-user-fqdn user_fqdn2 ... -alt-user-fqdn user_fqdn20]]
[-key-length number_bits ] [-days number_days]
NOTE: The ipsec_config add csr command now supports specifying multiple values (up to 20)
for the following types of alternative names for the subjectAlternativeName field of a certificate:
-alt-ipv4
-alt-fqdn
-alt-user_fqdn
TIP: If the peer is an HP-UX system, use the following syntax to create a certificate with the local
IP address as the subjectAlternativeName. This simplifies the configuration for the authentication
records because the IKE daemon uses IP addresses for IKE IDs by default.
ipsec_config add csr -subject subject_name
-alt-ipv4 ipv4_addr
-subject subject_name
The value you want in the subjectName field for the certificate in X.500 Distinguished Name (DN)
format. HP-UX IPSec supports the following attributes:
CN=commonName
C=country
Step 1: (Optional) Getting a Certificate for the Local System 103