HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

O=organization

OU=organizationalUnit

The attributes are all optional, but you must specify at least one. Separate multiple attributes using

commas. The order of the attributes is ignored and the DN is not case sensitive.

If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example,

“CN=host1,C=US,O=My Company,OU=Blue Lab”.

The values are defined as follows:

commonName : The commonName of the DN in printable string format. This field cannot contain

commas and must be 64 bytes or less.

country : The two-character ISO 3166-1 code for the country listed in the DN, for example US

for United States of America. This field cannot contain commas.

organization : The organization of the DN, for example Hewlett-Packard. This field cannot

contain commas and must be 64 bytes or less.

organizationalUnit : The organizationalUnit for the DN, for example Marketing. This field

cannot contain commas and must be 64 bytes or less.

Default: None.

-alt-ipv4 ipv4_addr

This specifies the IPv4 address you want in the subjectAlternativeName field of the certificate. You

can specify up to 20 IPv4 addresses by repeating the -alt-ipv4 ipv4_addr argument

accordingly.

For example, the following specifies three IPv4 addresses:

-alt-ipv4 192.6.2.2 -alt-ipv4 192.6.2.3 -alt-ipv4 192.6.2.5

TIP: HP recommends that you specify the -alt-ipv4 argument (or -alt-ipv6 , if the system

uses IPv6 addresses) for most topologies. HP-UX IPSec uses IP addresses for IKE IDs by default, so

if you specify -alt-ipv4 (or -alt-ipv6 ) and the system is not multihomed, you will not have

to configure an authentication record for this system on the local system, and you will not have to

configure an authentication record for this system on remote systems.

The exception to the above recommendation is topologies where you are using IKE with RSA

signatures for Mobile IPv6. RFC 3775 specifies that you must not use IPv6 addresses as IKE IDs

when using IKE with Mobile IPv6.

Default: None.

-alt-ipv6 ipv6_addr

The IPv6 address you want in the subjectAlternativeName field for the certificate, entered in

colon-hexadecimal notation.

Default: None.

-alt-fqdn fqdn

This specifies the FQDN (Fully Qualified Domain Name) you want in the subjectAlternativeName

field of the certificate, such as myhost.acme.com. The FQDN is also called as the Domain Name

Service or DNS name. You can specify up to 20 FQDNs by repeating the -alt-fqdn fqdn argument

accordingly.

For example, the following specifies two FQDNs:

-alt-fqdn myhost1.acme.com -alt-fqdn myhost2.acme.com.

104 Using Certificates with HP-UX IPSec