Step 7C: Configuring a Baltimore Certificate

Complete this step only if you selected RSA signature as your ISAKMP authentication algorithm in Step 6 and want to configure a Baltimore Certificate. If not, go to "Step 7A: Configuring an Entrust Certificate", "Step 7B: Configuring a Verisign Certificate" or "Step7D: Configuring a Preshared Key."

Prior to entering information into the Baltimore certificate screens, you must have received a PKCS#12 file from the Baltimore Certificate Authority, that includes the CA Certificate, User Private Key, and User Certificate information. In addition, you must have the passphrase used to protect the PKCS#12 file from the Baltimore administrator. For instructions on obtaining a PKCS#12 file, see Step 5C: Requesting a Baltimore Certificate.

Select Certificate Authority from the Options menu.
The Certificates tab is enabled on the IPSec Manager window. If the Baltimore window is not already displayed, click the Baltimore tab at the left side of the screen.
Click Import Cert to import the certificate contained in the PKCS#12 file.
The Import Certificate screen appears.
Enter the IP address of the CA provided by the Baltimore CA Administrator.
Enter the full path for the PKCS 12 file you received from the Baltimore CA Administrator. You can use the Browse button to locate the PKCS 12 file if you do not know the full path.
Enter the passphrase provided to you by the Baltimore CA Administrator. This must be the same passphrase used to secure the PKCS 12 file.
If you plan to use the Baltimore CRL, follow the steps below to fill out the CRL server information. HP recommends that you use the CRL provided by the CA if you choose to use certificates.
1. Enter the server name or IP address of the LDAP server where the Certificate Revocation List (CRL) for the Baltimore PKI is stored.
2. Enter the TCP port number used for connecting to the LDAP server where the CRL is stored.
  
  The standard port number for an LDAP server is 389.
3. Enter the search base values for the CRL for the CA. The search base is not case sensitive.
  You can obtain the search base values from your LDAP Administrator. The search base is the suffix configured to store all certificates and CRLs in the LDAP directory.
  These values form path or part of a path combined with the search filter values to the location of the CRL on the LDAP server. The values of the search base and the search filter may form the certificate distinguishedName.
  The following are examples of search base values. Please note that the syntax of these examples is precise, including delimiting commas between attributes and lack of other punctuation.
  - ou=ipsec, o=hp, c=US
  - o=hp, c=US
  - c=US
4. Enter the search filter values for the CRL. The search filter is not case sensitive.
  You can obtain search filter values from your LDAP Administrator. These values should form the second part of a path, beginning with the search base, to the location of the CRL on the LDAP server.
  The values of the search base and the search filter may combine to form the certificate distinguishedName (DN). If the search base and search filter form the DN, they must not overlap. For example, the value o=HP can be a part of the search base value or the search filter value, but not both.
  The following are examples of search filter values. Each example corresponds to the search base example in step C. Please note that the syntax of these examples is precise, including delimiting commas between attributes and lack of other punctuation.
  - cn=unicertpki1
  - cn=unicertpki1, ou=ipsec
  - cn=unicertpki1, ou=ipsec, o=hp
Click OK. The certificate configuration is saved.

Go on to Step 8: Configuring a Certificate ID.

Step 7C: Configuring a Baltimore Certificate

Technical documentation

» Table of Contents

» Glossary

» Index