Manualshelf

Using Microsoft Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
891011121314151617
12
Loading the host certificate
HP loaded the host certificates from files to the HP-UX IPSec storage scheme. HP used the
ipsec_config add mycert –file command to complete this task. HP did not retrieve the HP-UX
host certificate from the Active Directory because the HP-UX host certificate was not published in the
Active Directory (the HP-UX host is not a member of the Active Directory domain).
For example:
ipsec_config add mycert –file certnew.cer
Loading the CA certificates and CRLs
If you are using enterprise CAs, you can either load the CA certificates and CRLs from the Active
Directory server, or you can load the CA certificates and CRLs from files.
NOTE: If you are using a single-tier PKI with a standalone root CA that does not publish the CA
certificate and CRL to an Advanced Directory or LDAP server, you must load the CA certificate and
CRL from files. For more information, see “Loading CA Certificates from files” and “Loading CRLs from
files.”
Multi-Tier PKI requirement
In the multi-tier topology, you must add CAs and CRLs for all CAs in the authentication path to the
peer. For example, host1 and host2 each must load CAs and CRLs from the following CAs:
IPSecRootCA
IPSecIntermCA1
IPSecIntermCA2
IPSecEntCA1
IPSecEntCA2
Loading CA Certificates from files
Use the following procedure to load a CA certificate from a file:
1. If you do not already have a file with the CA certificate, create one.
On the CA, enter the folllowing command:
certutil –ca.cert my_CA_cert.cer
Where my_CA.cert.cer is the name for the CA certificate file.
For example:
certutil –ca.cert IPSecRootCA.cer
2. Transfer the CA certificate file to the HP-UX system. This file can be transferred over a non-secure
network link.
3. Enter the ipsec_config add cacert –file command to load the certificate. For example:
ipsec_config add cacert –file IPSecRootCA.cer
Loading CRLs from files
Use the following procedure to load a CRL from a file:
1. If you do not already have a file with the CRL, create one.
On the CA, enter the folllowing command:
certutil –GetCRL my_CRL.crl
Where my_CRL.crl is the name for the CRL file.
For example: