Using Microsoft Certificates with HP-UX IPSec A.03.00

Configuration tasks

Complete the following tasks to configure a multi-tier PKI for use with HP-UX IPSec:

 Configure the root and subordinate CAs. See “Configuring the root and subordinate CAs.”

 Configure certificate services for IPsec on the issuing CAs. See “Configuring certificate services for

IPsec on the issuing CAs.”

Configuration tasks

The tasks for configuring a single-tier PKI topology with a standalone CA for with HP-UX IPSec are a

subset of the tasks used to implement a multi-tier PKI topology. The tasks are as follows:

 Configure the root CA as described in “Configuring the root CA.”

 Obtain host certificates as described in “Using ipsec_config to obtain host certificates.”

 Configure HP-UX IPSec as described in “Configuring HP-UX IPSec.” If the CA does not publish the

CA certificate and CRL are in an Active Directory or other LDAP directory, you must load these

objects from files as described in “Loading CA Certificates from files” and “Loading CRLs from

files.”

You must also configure the host certificate, host policies, authentication records, and IKE policies

This section describes the tasks needed to configure the CAs. The CAs configured are as follows:

 Root CA

 Intermediate CAs

 Issuing CAs

If you are implementing a single-tier PKI topology, use the procedure in “Configuring the root CA.”

Skip the procedures in “Configuring the intermediate CA” and “Configuring the issuing CA.”

Configuring the root CA

HP used the procedure described for configuring a standalone root CA in the Microsoft PKI document

to configure the root CA with the common name (CN) IPSecRootCA.

The major steps and notes for these steps are as follows: