HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

111

112

113

114

115

116

117

118

119

120

1. Create a CSR. In this example, the peer is an HP-UX system. By default, HP-UX IPSec uses the

IP address in the certificate Subject DistinguishedName field for IKE IDs, so the administrator

creates a CSR for the local system with the local IP address in the certificate:

ipsec_config add csr -subject c=US,o=HP,cn=hostA \

-alt-ipv4 15.1.1.1

HP-UX IPSec creates a CSR in PKCS#10 format, PEM encoded, and stores it in /var/adm/

ipsec/ipsec.csr.

The administrator submits the contents of the /var/adm/ipsec/ipsec.csr file to the CA.

The submission method varies from vendor to vendor.

2. Receive a PEM file from the CA with a signed certificate for the local system (tmp/hostA.pem).

Add the certificate to the HP-UX storage scheme:

ipsec_config add mycert -file /tmp/hostA.pem

3. Receive a PEM file from the CA with a certificate for the CA (/tmp/cacert.pem ). Add the

certificate to the HP-UX storage scheme:

ipsec_config add cacert -file /tmp/cacert.pem

4. Create or receive a CRL from the CA. Add the CRL to the HP-UX storage scheme. In this

example, the CRL is stored on the LDAP server with address 10.40.40.40

ipsec_config add crl -ldap 10.40.40.40 \

-base C=US,O=HP -filter “CN=The Big CA”

5. Configure cron to automatically retrieve the CRL from the LDAP server by scheduling it to

execute /var/adm/ipsec/util/crl.cron for the root user.

Managing Certificate Data

This section contains information about certificate data storage and how to view and delete

certificate data.

Certificate Storage

HP-UX IPSec stores certificate data in the /var/adm/ipsec/certstore directory. The contents

of this directory are as follows:

• mycert.pem: certificate for the local system

• mykey.pem: private key for the local system certificate

• rootcert.pem: softlink to the certificate file for the root CA

• hash.0: CA certificate file, where hash is a hash value generated from the subject name

• hash.r0: CRL file where hash is a hash value generated from the issuer's name

The ipsec_config add csr command saves the CSR in the file /var/adm/ipsec/ipsec/

csr.

Viewing the Local System Certificate

To view the contents of the local system certificate, use the following command:

ipsec_config show mycert

For example:

# ipsec_config show mycert

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 3 (0x3)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=US, O=HP, OU=LAB, CN=issuerCA/emailAddress=root@foo

.hp.com

Validity

112 Using Certificates with HP-UX IPSec