Using Microsoft Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Configuring a Certificate for an HP-UX Client

This section describes how to use the HP-UX ipsec_config utility to create a Certificate Signing

Request (CSR) and acquire a certificate from a Microsoft Windows root CA for an HP-UX client,

and how to configure HP-UX IPSec to use the certificate.

This section also describes how to complete the necessary CA tasks using the Windows

Certification Authority GUI and the web-based Microsoft Certificate Services utility. It also

describes how to perform some of the CA tasks using the certreq and certutil commands.

For information on using alternative Windows utilities, see the Windows documentation set.

Complete the following steps to configure a certificate for an HP-UX client:

1. On the HP-UX system, use the ipsec_config add csr command to create a Certificate

Signing Request (CSR). See “Step 1: Creating the Certificate Signing Request” (page 9).

2. Submit the CSR to the Windows Certificate Authority (CA). See “Step 2: Submitting the

CSR” (page 10).

3. On the Windows CA system, approve the CSR and create the certificate. See “Step 3:

Approving the CSR” (page 13).

4. On the Windows CA system, export the certificate to a file in Base-64 encoded X.509 format.

See “Step 4: Exporting the Client Certificate” (page 14).

5. On the Windows CA system, export the CA's certificate. See “Step 5: Exporting the CA's

Certificate” (page 17).

6. On the HP-UX system, use the ipsec_config add cert command to add the client

certificate and CA certificate to the HP-UX IPSec storage scheme. See “Step 6: Adding the

Client and CA Certificate to HP-UX IPSec ” (page 18).

7. (Optional) On the HP-UX system, use the ipsec_config show cert command to verify

the contents of the certificate. See “Step 7: (Optional) Verifying the Client Certificate”

(page 18).

8. Download the Certificate Revocation List (CRL). See “Step 8: Downloading the Certificate

Revocation List” (page 18).

9. On the HP-UX system, use the ipsec_config add crl command to add the CRL to the

HP-UX IPSec storage scheme. See “Step 9: Adding the CRL to HP-UX IPSec ” (page 20).

10. Complete the HP-UX IPSec configuration. This step includes adding or modifying an IKE

policy to use RSA signatures for IKE authentication and adding authentication records, if

necessary. See “Step 10: Completing the HP-UX IPSec Configuration” (page 20).

Step 1: Creating the Certificate Signing Request

On the HP-UX system, use the ipsec_config add csr command to create a Certificate

Signing Request (CSR). This command also generates the public/private key pair for the certificate

and stores the CSR in the file /var/adm/ipsec/ipsec.csr. The CSR is stored in Public Key

Cryptography Standards (PKCS) Certification Request Syntax #10 format (commonly referred

to as PKCS#10) and encoded using Privacy-Enhanced Mail (PEM) base64 encoding.

The options for the ipsec_config add csr varies according to the system types of the IPsec

Internet Key Exchange (IKE) peers (the remote systems that will use the certificate to authenticate

the identity of the local system during IKE negotiations).

Windows IKE Peers

If any of the IKE peers are Windows systems, use the following ipsec_config add csr

syntax. This syntax omits options for the certificate subjectAlternativeName because by default

Windows systems do not use the subjectAlternativeName field for IKE identities.

ipsec_config add csr -subject subject_name

Where subject_name is the DN. The DN consists of at least one of the following attributes:

CN=commonName

Configuring a Certificate for an HP-UX Client 9