Using Microsoft Certificates with HP-UX IPSec A.03.00

10.Transfer the file to the IPsec host system, if needed. You will specify this file in the ipsec_config

add mycert -file command.

This file does not contain the private key and can be transferred over a non-secure network link.

Using the Microsoft Certificate Services web interface to obtain host

certificates

Use the following procedure to create a certificate request on the enterprise CA for an IPsec host. The

certificate request and certificate key pair are created on the CA. After the CA approves the request,

you must export the certificate and keys in a single PKCS#7 file (referred to as PFX in Microsoft

documentation).

1. On the enterprise CA, start a web browser and connect to the Microsoft Certificate Services web

interface using the following URL:

http://ca_system/certsrv

Where ca_system is the CA system name or IP address.

The Microsoft Certificate Services utility starts and displays the Welcome page.

2. Select Request a certificate.

3. From the Request a certificate page, select advanced certificate request.

4. From the Advanced Certificate Request page, select Create and submit a request to this CA.

5. The Certificate Services opens the Advanced Certificate Request page.

Use the following guidelines to complete the information:

o In the Certificate Template field, select the name of the template created in

“Configuring certificate services for IPsec on the issuing CAs,” such as the name

L2TP/IPSec (Offline request).

o In the Name field, enter the CN for the system. The Certificate Services will create a

CN attribute for the certificate subjectName from this value. For example, HP

entered host2.hpipsec.hp.com, and the approved certificate had the

subjectName cn=host2.hpipsec.hp.com.

o Select Create new key set.

o Select Automatic key container name.

o Select Mark keys as exportable.

o Select Store certificate in the local computer certificate store.

o Do not select Save request to a file.

Click submit.

By default, an enterprise CA is configured to automatically approve certificate requests. If this is

not the case, the Certificate Services displays a Certificate Pending page with a request ID

number. Record this ID number; you will need it to approve the request. Use a procedure

described in the Microsoft documentation to approve the request, such as using the Windows

Certification Authority MMC or the Windows certutil command.

If the enterprise CA is configured with the default parameters, it automatically approves the

certificate request and displays the Certificate Issued page.

6. If the web browser displays a Potential Scripting Violation window, click Yes.