iTP Secure WebServer System Administrator's Guide (Version 7.0)

ManualsBrandsHP ManualsServerHP NonStop G-Series

131

132

133

134

135

136

137

138

139

140

Integrating the WebSafe2 Internet Security

Processor (WISP)

iTP Secure WebServer System Administrator’s Guide—523346-012

5-10

Generating the Public/Private Key Pair and

Obtaining the Certificate

Generating the Public/Private Key Pair and Obtaining the

Certificate

The WISP generates a public/private key pair and sends it to the NonStop system,

where it is stored in the file named by the keyfile statement in wid.config. A

certificate is obtained by sending a certificate request to a recognized Certificate

Authority (CA). To generate the public/private key pair and obtain a certificate,

complete these steps:

1. Obtain a KEK pair using variant 0. This KEK pair will be used to encrypt the

public/private key pair for transmission to the NonStop system. You use the SCT to

generate the KEK pair. For further details, see Step 1. Obtaining a Key Exchange

Key (KEK) Using Variant 0.

2. Generate a public/private key pair and a certificate request. You use the keyadmin

command to do this. For further details, see Step 2. Generating a Public/Private

Key Pair and a Certificate Request on page 5-11.

3. Request a certificate from a CA. For further details, see Step 3. Requesting a

Certificate From a Certificate Authority (CA) on page 5-13.

4. Obtain a KEK using variant 31. You use the SCT to perform this task. For further

details, see Step 4. Obtaining a KEK Pair Using Variant 31 on page 5-13.

5. Install the certificate received from the CA by using the keyadmin command. For

further details, see Step 5. Installing the Certificate on page 5-14.

Step 1. Obtaining a Key Exchange Key (KEK) Using

Variant 0

You use the SCT Calculate Crypto function to obtain a KEK. Following the steps

outlined will generate two forms of double-length (16-byte) KEK: the in-the-clear form

and the form encrypted using the MFK.

For detailed information about the SCT and the Calculate Crypto function, see the

WebSafe Internet Security Processor Installation and Operations Manual. That manual

gives a detailed procedure for obtaining a KEK using variant 0. As you follow that

procedure, keep in mind that the double-length KEK is too long to display on the SCT

screen. Therefore you create the left part first, recording first the clear (unencrypted)

text followed by the cryptogram, and then you create the right part, recording first the

clear text followed by the cryptogram:

a. Select Encryption Key MFK1.

b. Define Key Under MFK1.

c. Select double length (F2).

d. Enter 1 as the number of key parts.

e. Select the MFK.