iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Integrating the WebSafe2 Internet Security

Processor (WISP)

iTP Secure WebServer System Administrator’s Guide—522659-001

5-13

Generating the Public/Private Key Pair and

Obtaining the Certificate

h. Record the left portion of the cryptogram.

i. Create and record the right portion of the clear text. You can enter your own

clear KEK or have the SCT generate one for you.

j. Record the right portion of the cryptogram.

When you finish the procedure, the SCT displays the check digits for the whole

cryptogram.

The KEK pair you obtain will be used to encrypt data the WISP sends to the iTP Secure

WebServer during runtime. Make a note of the keys, because you will need to enter

them when installing the certificate.

Step 5. Installing the Certificate

Once a certificate from a CA has been received and a KEK pair has been generated

using variant 31, the certificate can be installed through the keyadmin command using

the -websafeadd and -kek_mfk31 arguments.

You can add certificates that have DNs that are different from the DN used during key

generation. A typical case where this occurs is when a DN is changed by an issuing CA.

When you install such a certificate for the first time, the iTP Secure WebServer creates a

file called newdn.txt (in the root directory) that contains the new DN. If you install any

certificates subsequently that have DNs that are different from those used during key

generation or those installed previously, those certificates’ DNs are appended to the

newdn.txt file. After the newdn.txt file is created, a message will be displayed showing

the current DN that is to be used in all keyadmin commands. This current DN is the one

to be used in the AcceptSecureTransport directive. For information about the

AcceptSecureTransport directive, see AcceptSecureTransport

on page A-5.

A sample newdn.txt file is shown below:

bin/keyadmin -websafeadd cert-recv-file \

-widconf config-file -kek_mfk31 kek-cryptogram \

[-kek_clear kek-value] [-verbose]

DN used at the time of key generation is: CN=hima.lab201.tandem.com,

OU=datadev, O=tandem, L=cupertino, ST=california, C=US

New DN in the certificate to be added is: CN=hima.lab201.tandem.com,

SN=297-68-2381, OU=a-sign.datadev.com, OU=a-sign Server Light Demo CA,

O=Datadev California, C=US

Use the new DN for all your commands requiring a DN for this certificate.

Note. The bin/ prefix indicates the directory that contains the keyadmin utility.