Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
12345678
3
o In the section [ policy_match ], configure the stateOrProvinceName and
emailAddress parameters as follows:
stateOrProvinceName = optional
emailAddress = optional
HP-UX IPSec does not support state names or mail addresses in the subject field of
certificates or CSRs. The above configuration enables the OpenSSL server to accept
CSRs without these attributes.
2. Initialize the environment for the CA.
Set the current working directory to the base directory for OpenSSL objects (the directory specified
for the dir variable in the master configuration file).
Enter the following HP-UX commands to initialize the environment for the CA. These commands
create the subdirectories needed for the CA, set the initial value for certificate serial numbers and
create an index file.
mkdir certs crl newcerts private
echo "01" > serial
touch index.txt
3. Create a self-signed certificate for the CA.
Enter the following openssl req command:
openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem \
-out cacert.pem -days 730
The openssl utility will prompt you for a PEM (Privacy Enhanced Mail) passphrase to protect the
private key. Make a note of this passphrase; OpenSSL will prompt you for it when you sign the
host certificates.
HP recommends that you verify that the private key file (private/cakey.pem) is readable only
by the root user. (If not, enter the appropriate chown root and chmod +400 commands).
4. (Optional) Convert the CA’s certificate to DER format.
Enter the following openssl x509 command:
openssl x509 –in cacert.pem –outform der \
–out cacert.der
5. Transfer the CA certificate to the IPsec hosts or store the CA certificate in an LDAP directory as
described in “(Optional) Adding the CA Certificate and CRL to an LDAP Directory.”
Creating the CRL
Use the following procedure to create the CRL on the OpenSSL CA system. After you create the initial
CRL, you must generate a new CRL after you revoke a certificate. You must also generate a new CRL
when the CRL expires. In the example below, the CRL expires in 15 days.
1. Enter the following OpenSSL command to generate the CRL:
openssl ca -gencrl -crldays 15 -out crl/crl.pem
2. (Optional) Enter the following OpenSSL command to convert the CRL to DER format:
openssl crl -in crl/crl.pem -outform der -out crl/crl.der