Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
123456789
2
Overview
This document provides information on using HP-UX IPSec versions A.02.01 and later with OpenSSL
certificates for IKE primary authentication. This document also describes how to store and retrieve
OpenSSL Certificate Revocation Lists (CRLs) using local files or an LDAP (Lightweight Directory Access
Protocol) server. A CRL contains a list of revoked (invalid) certificates. HP-UX IPSec uses the CRL to
verify that a remote system's certificate is valid during IKE primary authentication.
The HP-UX OpenSSL product is available from the HP Software Depot website:
http://www.hp.com/go/softwaredepot
The following LDAP server implementations for HP-UX are also available from the HP Software depot
website:
Netscape Directory Server for HP-UX
OpenLDAP, a component of the HP-UX Internet Express bundle
This document assumes that the user is familiar with HP-UX IPSec and how it uses certificates. For
more information about HP-UX IPSec, refer to the HP-UX IPSec Administrator's Guide.
Additional Requirements
The procedures for creating OpenSSL certificates and CRLs for HP-UX IPSec is similar to the
procedures typically used to create OpenSSL certificates and CRLs for other applications, with the
following additional requirements:
Copy of the CRL in Distinguished Encoding Rules (DER) format
HP-UX IPSec retrieves the CRL from an LDAP server or from a local file. The CRL must be in DER
format.
Copy of the CA’s certificate in DER format
If you want HP-UX IPSec to retrieve the CRL from an LDAP server, you must store the CA’s certificate
in the LDAP server in addition to the CRL. The CA’s certificate must be in DER format.
After you have created the OpenSSL certificates and CRL, you must configure HP-UX IPSec to use the
OpenSSL certificates and CRL.
Creating and Configuring OpenSSL Certificates and CRLs
To use HP-UX IPSec with OpenSSL certificates, you must complete the following tasks:
Initialize the OpenSSL Certificate Authority (CA)
Create the Certificate Revocation List (CRL) on the CA system
Add the CRL to the LDAP directory
Create host certificates for HP-UX IPSec hosts
Configure IPSec policies, IKE policies, and authentication records on the HP-UX IPSec hosts
Add the CRL to the HP-UX IPSec configuration on the HP-UX IPSec hosts