Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
123456789
4
Creating the CRL
Use the following procedure to create the CRL on the OpenSSL CA system. After you create the initial
CRL, you must generate a new CRL after you revoke a certificate. You must also generate a new CRL
when the CRL expires. In the example below, the CRL expires in 15 days.
1. Enter the following OpenSSL command to generate the CRL:
openssl ca -gencrl -crldays 15 -out crl/crl.pem
2. Enter the following OpenSSL command to convert the CRL to DER format:
openssl crl -in crl/crl.pem -outform der -out crl/crl.der
Note
To revoke an OpenSSL certificate, use the command openssl –ca revoke cert_file. Refer to
the ca(1) manpage for more information.
Adding the CRL to the LDAP Directory
Use the following procedure to add the CRL to the LDAP directory. Alternatively, you can manually
transfer the CRL file to the HP-UX IPSec system and add the CRL file to the HP-UX IPSec configuration.
Use the ldapmodify utility to load the CRL into the LDAP database as part of a
certificationAuthority object. Specify the –a option the first time you load the CRL. For
example:
ldapmodify -a -v –w - -W -D “cn=admin,ou=lab,o=example,c=us” \
-f crl.ldif
The LDAP Data Interchange Format (LDIF) file used for the ldapmodify command contains entries
to read in the CA’s certificate (cACertificate) and CRL (certificateRevocationList)
from the cacert.der and crl.der files. The LDIF file also contains an entry to add an empty
authorityRevocationList (a list of CAs with revoked certificates). The
authorityRevocationList is a required attribute for the certificationAuthority
object, but is not used by HP-UX IPSec. In this example, the LDIF file (crl.ldif) contains the
following entries:
version: 1
dn: ou=lab,o=example,c=us
cn: pki-ca
description: Certificate Authority certificate and revocation list
cACertificate;binary:< file:///opt/openssl/CA/cacert.der
certificateRevocationList;binary:< file:///opt/openssl/CA/crl/crl.der
authorityRevocationList;binary:
objectClass: certificationAuthority
objectCLass: applicationProcess
NOTE: The Netscape Directory Server for HP-UX (NDS) version 6.11 has a known problem when
processing a redirection symbol (<) and Uniform Resource Identifier (URI), such as the above
specification
< file:///opt/openssl/CA/cacert.der
.
NDS version 6.11 loads the value of the URI string instead of dereferencing the object. This problem
is fixed in NDS version 6.21. There are two workarounds for NDS version 6.11:
Workaround 1
1. Use the above ldapmodify command and LDIF file to create a certificationAuthority
object in the LDAP directory. The object will not have the correct data for the cACertificate and
certificateRevocationList attributes (the attribute values will be the file paths instead of the