Using Microsoft Certificates with HP-UX IPSec A.03.00
8
6. Install the Certificate.
HP used the method described in the Microsoft PKI document to install the certificate using the
certutil.exe -installcert command This method installs the PKCS#7 (.p7b) file created in
the previous step.
7. Configure the Enterprise CA
HP used the sample script provided to configure an EnterpriseSubCA in the Microsoft PKI document
with the following modification:
SET myhttpPKIvroot=http://www.hp.com/pki
Configuring certificate services for IPsec on the issuing CAs
HP configured certificate services on the issuing enterprise CAs to create a certificate template for
IPsec certificates. The template enables you to use the Microsoft Certificate Services web interface to
create certificate requests with values appropriate for IPsec hosts. You can also use the template when
submitting a certificate request created on an HP-UX system.
HP used the procedures in the Microsoft document How to create offline L2TP/IPSec Certificates to
configure the Certificate Services for IPsec.
NOTE: Do not perform the procedure for installing certificate services described in the Microsoft How
to create offline L2TP/IPSec Certificates document. If you followed the procedures in this whitepaper,
you already installed certificate services on the issuing CAs in the procedure “Configuring certificate
services for IPsec on the issuing CAs.”
Complete the following tasks as described in the Microsoft How to create offline L2TP/IPSec
Certificates document:
1. Create a custom MMC as described in the Microsoft document.
2. Create a custom certificate template. In the Microsoft document, the template is created with the
name L2TP/IPSec (Offline request).
On the Request Handling page, select Allow private key to be exported.
3. Issue the custom L2TP/IPSec (Offline request) template as described in the Microsoft document.
Obtaining host certificates for IPsec
HP tested two methods to create host certificates for IPsec:
Use ipsec_config on the HP-UX system to generate a certificate request and submit the request
using the Microsoft Certificate Services web interface. This method generates the certificate key pair
on the HP-UX system.
Use the Microsoft Certificate Services web interface to request a certificate. This method generates
the certificate key pair on the Microsoft system. The key pair is exported to the HP-UX system in an
encrypted PKCS#12 file.
NOTE: If you are using a standalone CA, you must use ipsec_config to obtain host certificates.
You cannot use the Microsoft Certificate web interface to request a certificate.
Using ipsec_config to obtain host certificates
Use the following procedure to create a certificate request with ipsec_config and submit the
request to the enterprise CA. This method creates the certificate request and certificate key pair on
the HP-UX system. The key pair never leaves the HP-UX system.