HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

Multiple Level CAs

If you are using multiple-level CAs, you must use the ipsec_config add cacert command to

add a certificate for each CA in the authentication chain to the peer as described in “Multiple

Level CA Requirements” (page 102).

Each CA certificate must be contained in a separate file or directory object; HP-UX cannot store

multiple certificates enclosed in a single file or directory object.

ipsec_config add cacert -file Syntax

Use the following ipsec_config add cacert syntax to add a CA certificate to the HP-UX

IPSec storage scheme:

ipsec_config add cacert -file cacert_filename

-file cacert_filename

The name of the DER or PEM file containing the certificate for the CA. If the file is password

protected, ipsec_config prompts you for the password.

Default: None.

Examples

The following command extracts a CA certificate from the file /tmp/cacert.pem:

ipsec_config add cacert -file /tmp/cacert.pem

The following example retrieves three CA certificates for a multiple-level CA structure. The local

system uses a certificate from the CA WestCA. The peer uses a certificate from the CA EastCA.

WestCA and EastCA are child CAs below the CA RootCA.

ipsec_config add cacert -file /tmp/WestCAcert.pem

ipsec_config add cacert -file /tmp/EastCAcert.pem

ipsec_config add cacert -file /tmp/RootCAcert.pem

ipsec_config add cacert -ldap Syntax

Use the following ipsec_config add cacert syntax to retrieve a CA certificate from an LDAP

directory and add the certificate to the HP-UX IPSec storage scheme:

ipsec_config add cacert -ldap server [-port port_number]

-base search_base [-filter search_filter] [-user user [-password password]]

-ldap server

The hostname or address of the LDAP server where the CA certificate is stored.

Default: None.

-port port_number

TCP port number for the LDAP server.

Range: 1 - 65535.

Default: 389, the IANA registered TCP port number for LDAP.

-base search_base

Search base for the certificate, in X.500 Distinguished Name (DN) format, such as

C=US,O=HP,OU=Lab. The search base with the search filter appended to it form a search path

to the location of the cACertificate attribute in the LDAP directory.

If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example,

“C=US,O=My Company,OU=Blue Lab”.

Default: None.

108 Using Certificates with HP-UX IPSec