Manualshelf

Using Microsoft Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
7
HP did not specify a value for the myLDAPserver variable.
The sample script also configures the intermediate CA to include information about the CA policy
in its issued certificates.
10.Verify the intermediate CA configuration.
Configuring the issuing CAs
In this topology, the issuing CAs are enterprise CAs. An enterprise CA must be joined to a domain of
an Active Directory forest.
HP used the procedure described in the Microsoft PKI document for configuring online enterprise
issuing CAs to configure each issuing CA. HP configured two issuing CAs with the CNs
IPSecEntCA1 and IPSecEntCA2.
The main steps for this procedure are as follows:
1. Retrieve certificates and CRLs for the root and parent (intermediate) CAs.
For IPSecEntCA1, the parent CA is IPSecIntermCA1; for IPSecEntCA2, the parent CA is
IPSecIntermCA2.
2. Import (publish) the root and intermediate CA certificates and CRLs into Active Directory.
HP used the certutil -dspublish command as described the Microsoft PKI document with
modifications for the certificate and CRL file names and the system names. For example, on
IPSecEntCA1, HP used the following commands:
certutil -dspublish -f IPSecRootCA.cer RootCA
certutil -dspublish -f IPSecIntermCA1.cer SubCA
certutil -dspublish -f IPSecRootCA.crl hproot IPSecRootCA
certutil -dspublish -f IPSecIntermCA1.crl hpinterm1 IPSecIntermCA1
3. Prepare the CAPolicy.inf file.
HP used the sample CaPolicy.inf file for CorporateEntCA1 in the Microsoft PKI document with
the following modification:
SET myhttpPKIvroot=http://www.hp.com/pki
HP did not specify a value for the myLDAPserver variable.
4. Install the CA components using the procedure for installing online issuing enterprise CAs in the
Microsoft PKI document.
When prompted for the type of installation, select Enterprise subordinate CA.
Set the common name for the CA (IPSecEntCA1 or IPSecEntCA2). Use the default value for
the distinguished name suffix (the Active Directory domain namespace).
This step also creates a certificate request file for the enterprise CA.
5. Process the certificate request on the intermediate CA.
HP used the method described to process certificate requests using web enrollment support as
described in the Microsoft PKI document. To use this method, copy the certificate request file to
the intermediate CA and copy and paste the contents of the request file in the Submit a Certificate
Request or Renewal Request page. You also use the Certification Authority MMC to approve the
pending request and create a PKCS#7 (.p7b) file with all the certificates in the chain.