Manualshelf

Using OpenSSL Certificates with HP-UX IPSec A.03.00

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
12345678
5
TIP: The alt-nnn arguments specify values for the certificate’s subjectAlternativeName
field. The HP recommends that you specify the -alt-ipv4 argument for most topologies. HP-
UX IPSec uses IP addresses for IKE IDs by default, so if you specify -alt-ipv4 and the
system has only one IP address (the system is not multihomed), you will not have to specify the
local ID in authentication records on the local system, and you will not have to configure an
authentication record for this system on remote systems.
Refer to the ipsec_config_add manpage for more information.
In the following example, the subjectAlternativeName field in the certificate will be the system’s
IPv4 address, 15.1.1.1.
ipsec_config add csr –subject “cn=myhost,c=us,o=hp,ou=lab” \
–ALT-IPV4 15.1.1.1
The ipsec_config utility will save the CSR in the file /var/adm/ipsec/ipsec.csr.
2. Transfer the CSR file (/var/adm/ipsec/ipsec.csr) to the OpenSSL CA system.
3. On the OpenSSL CA system, you must force the CA to include the subjectAlternateName field to
the signed certificate. The subjectAlternativeName is an X.509 extension field. There are two ways
to do this:
1. Modify the OpenSSL configuration file to copy extensions from the CSR. Uncomment
the following entry in the OpenSSL configuration file:
copy_extensions = copy
2. Create an extension file with the subjectAlternativeName information and specify it
as part of the openssl ca command. Some examples are listed below:
echo "subjectAltName=IP:my_ip_addr" > newcerts/myfile.ext
echo "subjectAltName=DNS:my_fqdn" > newcerts/myfile.ext
echo "subjectAltName=email:my_user-fqdn" > \
newcerts/myfile.ext
4. Use the openssl ca command to sign the host certificate. If you are not using an extension file,
use the following syntax:
openssl ca -out myhost.pem -infiles ipsec.csr
If you are using an extension file, use the following syntax:
openssl ca -out myhost.pem -extfile myfile.ext -infiles ipsec.csr
5. Transfer the host certificates to the appropriate HP-UX IPSec systems.
Loading the Host Certificate, CA Certificate and CRL
Use the following procedure on each HP-UX IPSec host to load the host certificate, CA certificate and
CRL to the HP-UX IPSec storage scheme:
1. Use the ipsec_config add mycert command to load the host certificate. For example:
ipsec_config add mycert –file myhost.pem
2. Load the CA certificate.