iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Integrating the WebSafe2 Internet Security

Processor (WISP)

iTP Secure WebServer System Administrator’s Guide—522659-001

5-16

How to Use Server Certificate Chains With

WebSafe2 Encryption

How to Use Server Certificate Chains With

WebSafe2 Encryption

The iTP Secure WebServer’s SSL 3.0 protocol allows you to send and receive certificate

chains and to use certificate chains with WebSafe2 encryption. By using the certificate

chain option, you can establish a certificate hierarchy that is more than two certificates

deep. Server certificate chain support allows iTP Secure WebServers to use VeriSign

Global Server IDs, which are certificate chains.

For information about Global Server IDs, see Support for International 128-Bit SSL

Sessions Using VeriSign’s Global Server ID on page 4-5. For more information about

certificates and certificate chains, see Using Certificates

on page D-6.

No configuration changes to the iTP Secure WebServer or WID are required for this

feature. However, because certificate chain transmission between clients and servers

requires SSL 3.0 support, you need to ensure that you are using the latest versions of

both the iTP Secure WebServer and the WID.

To create a server certificate chain, do the following:

1. Obtain leaf and intermediate certificates from the appropriate CA. You can get

certificates to support a Global Server ID from VeriSign at the following web site:

http://www.verisign.com

2. For a certificate chain sent from VeriSign, the leaf certificate is the certificate that

follows the text SERVER SUBSCRIBER CERTIFICATE, and the intermediate

certificate is the certificate that follows the text INTERMEDIATE CA

CERTIFICATE. The leaf certificate must be added before the intermediate

certificate.

3. Store the leaf certificate, including the lines labeled

----- BEGIN CERTIFICATE ----- and

----- END CERTIFICATE -----, in the designated certificate file

(cert.txt in the example) using the keyadmin command as shown in the

following example:

keyadmin -websafeadd cert.txt -widconf widconf -kek_mfk31

kek_mfk31

4. Store the intermediate certificate, including the lines labeled

----- BEGIN CERTIFICATE ----- and

----- END CERTIFICATE -----, in the designated intermediate certificate

file (intermediate.txt in the example) using the keyadmin command as

shown in the following example:

keyadmin -websafeadd intermediate.txt -widconf widconf

-kek_mfk31 kek_mfk31

Note. For a complete discussion of the keyadmin -websafeadd command, see Step 5.

Installing the Certificate on page 5-13.