HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

-alt-user-fqdn user_fqdn1

This specifies the User-FQDN you want in the subjectAlternativeName field of the certificate, such

as johnson@myhost.acme.com.

You can specify up to 20 User-FQDNs by repeating the -alt-user-fqdn user_fqdn argument

accordingly.

For example, the following specifies two User-FQNDs:

-alt-user-fqdn johnson@myhost.acme.com nichols@home.acme.com.

-key-length

The key length for the public/private keys, in bits. Verify that the value you specify is allowed by

your CA.

Valid Values: 512, 1024, 2048, or 4096 (bits).

Default: 1024.

-days number_days

Number of days for which the certificate will be valid. Verify that the value you specify is within

the range allowed by your CA.

Range: 1 - 65535.

Default: 365.

Example

The following command creates a CSR for the local host with its IPv4 address as the

subjectAlternativeName and the DN cn=myhost,c=us,o=hp,ou=lab as the subjectName:

ipsec_config add csr -subject “cn=myhost,c=us,o=hp,ou=lab” \

-alt-ipv4 15.1.1.1

In the following example, the ipsec_config add csr command specifies two IPv4 addresses, two

FQDNs, and a single User-FQDN as alternative names in the specified certificate:

%ipsec_config add csr -subject cn=myhost,c=us,o=hp,ou=lab \

-alt-ipv4 192.6.2.2 -alt-ipv4 192.6.1.1 \

-alt-fqdn myhost.hp.com -alt-fqdn myhost2.hp.com \

-alt-user-fqdn roadrunner@acme.com

In the following example, the command specifies one IPv4 address, one FQDN, and two

User-FQDNs:

%ipsec_config add csr -subject cn=myhost,c=us,o=hp,ou=lab \

-alt-user-fqdn roadrunner@acme.com \

-alt-user-fqdn bunny@acme.com -alt-user-fqdn wolf@acme.com

Submitting the Certificate Signing Request to the CA

Submit the PKCS#10 Certificate Signing Request (CSR) to the CA to request a signed certificate

for the local system. The ipsec_config utility stores the CSR in the file /var/adm/ipsec/

ipsec.csr.

PKI vendors support different methods for submitting CSRs. A CA implementation can have a

web-based interface with a file upload mechanism or a “copy and paste” mechanism, where the

user copies the contents of the CSR into a buffer and pastes the contents into a field on a web

page. Other vendors require you to transfer the file to the CA system using a secure mechanism,

and then specify the file name using a command-line interface.

Step 2: Adding the Local Certificate

After the CA creates signed certificates for the local system, use the ipsec_config add mycert

command to add the certificates to the HP-UX IPSec storage scheme.

Step 2: Adding the Local Certificate 105