Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.02.01

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
123456789
5
file data).
2. Use the Directory Server Console to modify certificationAuthority object and load the file
data for the attribute values.
Workaround 2
Add the –b (binary data) option to the ldapmodify command and replace each redirection and URI
in the LDIF file with the absolute path for the file. For example:
ldapmodify -a –b -v –w - -W -D “cn=admin,ou=lab,o=example,c=us” \
-f crl.ldif
Configure the crl.ldif file to contain entries similar to the following:
version: 1
dn: ou=lab,o=example,c=us
cn: pki-ca
description: Certificate Authority certificate and revocation list
cACertificate;binary: /opt/openssl/CA/cacert.der
certificateRevocationList;binary: /opt/openssl/CA/crl/crl.der
authorityRevocationList;binary:
objectClass: certificationAuthority
objectCLass: applicationProcess
Creating Host Certificates
Use the following procedure to create and configure host certificates for the HP-UX IPSec hosts:
1. On each HP-UX IPSec host, use the ipsec_config add csr command to create a Certificate
Signing Request (CSR).
The syntax for the ipsec_config add csr command is as follows:
ipsec_config add csr -subj[ect_name] subject_name
[-alt-ipv4 ipv4_addr]
[-alt-fqdn fqdn] [-alt-user-fqdn user_fqdn]
[-days number_days] [-key-length|klen number_bits]
TIP: The –alt-nnn arguments specify values for the certificate’s subjectAlternativeName
field. The HP recommends that you specify the -alt-ipv4 argument for most topologies. HP-
UX IPSec uses IP addresses for IKE IDs by default, so if you specify -alt-ipv4 and the
system has only one IP address (the system is not multihomed), you will not have to specify the
local ID in authentication records on the local system, and you will not have to configure an
authentication record for this system on remote systems.
Refer to the ipsec_config_add manpage for more information.
In the following example, the subjectAlternativeName field in the certificate will be the system’s
IPv4 address, 15.1.1.1.
ipsec_config add csr –subject “cn=myhost,c=us,o=hp,ou=lab” \
–ALT-IPV4 15.1.1.1
The ipsec_config utility will save the CSR in the file /var/adm/ipsec/ipsec.csr.
2. Transfer the CSR file (/var/adm/ipsec/ipsec.csr) to the OpenSSL CA system.
3. On the OpenSSL CA system, you must force the CA to include the subjectAlternateName field to
the signed certificate. The subjectAlternativeName is an X.509 extension field. There are two ways
to do this: