Using Microsoft Certificates with HP-UX IPSec A.03.00

Loading CRLs from the Active Directory Server

To load the CRLs from the Active Directory server, use the ipsec_config add crl –ldap

command. This command requires the LDAP search filter (base and filter) for the CRL. HP used the

following syntax to specify the search filter. The base is the same as the base used for the CA

certificate filter plus a commonName field with the hostname portion of the fully-qualified domanin

name (FQDN) of the issuing CA (cn=hostname). The base used for the CA certificates, but the

objectClass for the filter is cRLDistributionPoint. The format is as follows:

-base "cn=CA_commonName,cn=hostname,cn=CDP,cn=Public Key Services,

cn=Services,cn=Configuration,active_directory_domain"

-filter "objectClass=cRLDistributionPoint"

Where:

CA_commonName is the CN value for the CA, such as IPSecRootCA or IPSecIntermCA1.

hostname is the hostname portion of the fully-qualified domain name for the system, such as

hproot.

Active_directory_domain is the DN for the Active Directory domain, such as

dc=HP-AD1,dc=hpipsec,dc=hp,dc=com.

On host1, HP entered the following commands to load CRLs from the Active Directory server on the

host hp-ad1.hpipsec.hp.com:

ipsec_config add crl -ldap hp-ad1.hpipsec.hp.com \

-base "cn=IPSecRootCA,cn=hproot,cn=CDP,cn=Public Key Services,\