Manualshelf

Using Microsoft Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
C=country
O=organization
OU=organizationalUnit
The attributes are all optional, but you must specify at least one. Separate multiple attributes
using commas. The order of the attributes is ignored and the DN is not case sensitive.
If there are spaces in the DN, you must enclose the DN in double quotes (““ ).
For example:
ipsec_config add csr -subject "CN=foo2,o=hp,ou=foo,c=us"
HP-UX IKE Peers
If all the IKE peers are HP-UX systems, HP recommends that you use the following
ipsec_config add csr syntax. This syntax specifies the system's IPv4 address for the
subjectAlternativeName and simplifies your configuration, because HP-UX IPSec uses IPv4
addresses for IKE IDs when no authentication records are configured.
ipsec_config add csr -subject subject_name -alt-ipv4 ip_address
The ip_address is the local IP address. For example:
ipsec_config add csr -subject CN=foo2 -alt-ipv4 10.2.2.2
Additional Options
The full syntax of the ipsec_config add csr command enables you to specify other ID types
for the certificate subjectAlternativeName, the number of days the certificate will be valid, and
the public/private key length. The default key length is 1024 bits, which is also the default key
length when requesting certificates on Windows systems.
See ipsec_config_add(1M) for more information.
Step 2: Submitting the CSR
This section describes two methods for submitting the CSR:
Using the web-based Microsoft Certificate Services utility.
Using the certreq command. This method is useful for submitting CSRs from multiple
systems.
Using the Microsoft Certificate Services Utility to Submit a CSR
On the system where the CSR is located, use the following procedure to submit the CSR to the
Window's Certificate Authority (CA):
1. If you do not have a web browser on you HP-UX system that can access the Windows CA's
web interface, copy the CSR file, /var/adm/ipsec/ipsec.csr, to a system with access.
Start a web browser and connect to the Microsoft Certificate Services on the CA system
using the following URL:
http://ca_system/certsrv
where ca_system is the CA system name or IP address.
2. The Microsoft Certificate Services utility starts and displays the Welcome page (Figure 1).
Select Request a certificate.
10