Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 1 Installing and Configuring IPSec/9000

Step 5C: Requesting a Baltimore Certificate
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

If you are using the Baltimore CA for authentication with IPSec, you must first purchase the Baltimore UniCERT 3.5 package. For more information about any of the prerequisites below, see the documentation you received from Baltimore.

NOTE: All IPSec/9000 systems using Baltimore certificates must have IPv4 addresses. IPSec/9000 does not support the use of IPv6 addresses with certificates.

Before you request Baltimore certificates for IPSec systems, you must:

  • Make sure all components of the Baltimore CA are installed and available. See your Baltimore documentation for installation and configuration instructions.

    NOTE: You do not need to install any Baltimore software on the IPSec hosts that will use Baltimore certificates.

  • Set up the PKI structure on the Baltimore CA host. The PKI structure is a part of the CAO component.

  • Enable LDAP

  • In the CAO->CA Attributes->Certificate CRL and Directory Options tab, be sure that the "IDP Extension on CRLs/ARLs is critical" option is selected.

    NOTE: IPSec/9000 does not support the use of CDPs with Baltimore certificates.

  • Set up a policy or policies in the UniCERT CAO component for use when requesting certificates for IPSec hosts. The policy must contain the following fields:

    • IP address (mandatory for HP IPSec/9000 systems)

    • DNS (Fully Qualified Domain Name)

    • Key Size: 1024

    • Key Type: RSA

    • Key Usage: Digital Signature

    • Certificate Interval Start

    • Certificate Interval End

    • Common Name

    • Org Unit

    • Organization

    • Country Code

Requesting a Certificate

Before you configure a Baltimore certificate in IPSec Manager, you must obtain a PKCS#12 file from the Baltimore Certificate Authority. The Baltimore CA Administrator at your site must use the Face to Face method to request the certificate, and must note certain information during the request and retrieval process. Instructions for the Baltimore CA Administrator are as follows:

  1. Start the RA component of the UniCERT software. Once it is running, start the RAO component.

  2. On the initial RAO screen, you must choose the Face to Face option.

  3. Choose Register New User to request a new certificate. Next, choose a policy set up for requesting IPSec certificates.

  4. Fill out any fields on the certificate request form that are not defaulted. Click Accept when the request form is complete.

    Make a note of the Distinguished Name fields (common name, organizational unit, organization, and country). The IPSec Administrator may need this information to complete the IPSec configuration.

  5. Choose PKCS#12 as the format for the Secret Key. You must choose this format for certificates used by IPSec.

  6. Create a passphrase for the PKCS#12 file.

    Make a note of this passphrase; the IPSec Administrator will use it to import the certificate into IPSec.

  7. Save the PKCS#12 file (use the p12 extension) with the secret key to disk.

    Make a note of the full path to the PKCS#12 file. Later the IPSec Administrator will need to install this file on the IPSec host.

  8. Later, go back to the RAO and choose Collect Reply from Last Request to retrieve the certificate.

  9. Choose to save the certificate to a File.

  10. Choose PKCS#12 encoded certificate as the format in which to save the certificate.

  11. Save the certificate to the same file you saved the request with the secret key.

    A "Do you want to replace this file" message will pop up. Choose Yes. The file is not replaced; the new information is appended to the original file.

The PKCS#12 file is encrypted and contains key information used by the IPSec/9000 IKE daemon to register with the Baltimore PKI and perform certificate operations.

NOTE: Once the PKCS#12 file is complete, you must transfer it from its saved location to the IPSec host that will use the certificate. When you save the file to the new location on the IPSec host, be sure to note the full path to the file. This path is necessary to import the certificate into IPSec.



Step 5B: Setting Up a VeriSign Administrator
  		 


Step 6: Configuring an IPSec/9000 Policy: Overview and Preliminary Steps  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.