HP-UX IPSec A.03.02.02 Release Notes HP-UX 11i version 3 (766158-001, April 2014)
Privacy-Enhanced Mail (PEM) base64 encoding. This CSR format is typically used for
“copy and paste” certificate requests.
If you are using a CA or PKI utility to create the key pair and CSR, the CA must provide
the certificate for the local system and the private key in a PKCS#12 encoded file.
◦ Certificates: The CA must provide X.509 Version 3 certificates encoded using one of the
following formats:
– Privacy-Enhanced Mail base64 (PEM)
– Distinguished Encoding Rules (DER)
– PKCS#12 (valid only for the local system certificate; not valid for CA certificates)
The ipsec_config utility can load a certificate from a local file. The ipsec_config
utility can also retrieve the certificate from an LDAP directory.
◦ Certificate Revocation Lists: The CA must provide X.509 Version 1 or X.509 Version 2
Certificate Revocation Lists (CRLs).
Implementations that meet these requirements include:
• OpenSSL
• Microsoft Windows 2003 Certification Authority
Multiple-level CA requirements
If you are using a multiple-level CA structure, or chained CAs, you must have a certificate for each
CA in the authentication chain to the peer, and a CRL for each CA. In other words, you must have
a certificate and CRL for each of the following CAs:
• the root CA
• each CA in the authentication chain from the local system to the root CA
• each CA in the authentication chain from the peer system to the root CA
Each certificate and CRL must be contained in a separate certificate file or directory object; HP-UX
cannot store multiple certificates or CRLs from a single file or directory object.
20 Compatibility and installation requirements