iTP Secure WebServer System Administrator's Guide (Version 7.0)

ManualsBrandsHP ManualsServerHP NonStop G-Series

131

132

133

134

135

136

137

138

139

140

Integrating the WebSafe2 Internet Security

Processor (WISP)

iTP Secure WebServer System Administrator’s Guide—523346-012

5-14

Generating the Public/Private Key Pair and

Obtaining the Certificate

1. Select Encryption Key MFK1.

2. Define Key Under MFK1.

3. Select 1 for a single length (8-byte) key.

4. Enter 1 as the number of key parts.

5. Select the MFK.

6. Enter input variant 310.

7. Create and record the left portion of the clear text. You can enter your own clear

KEK or have the SCT generate one for you.

8. Record the left portion of the cryptogram.

9. Create and record the right portion of the clear text. You can enter your own clear

KEK or have the SCT generate one for you.

10. Record the right portion of the cryptogram.

When you finish the procedure, the SCT displays the check digits for the whole

cryptogram.

The KEK pair you obtain will be used to encrypt data the WISP sends to the iTP

Secure WebServer during run time. Make a note of the keys, because you will need to

enter them when installing the certificate.

Step 5. Installing the Certificate

After a certificate from a CA has been received and a KEK pair has been generated

using variant 31, the certificate can be installed through the keyadmin command using

the -websafeadd and -kek_mfk31 arguments.

You can add certificates that have DNs that are different from the DN used during key

generation. A typical case where this occurs is when a DN is changed by an issuing

CA.

When you install such a certificate for the first time, the iTP Secure WebServer creates

a file called newdn.txt (in the root directory) that contains the new DN. If you install

any certificates subsequently that have DNs that are different from those used during

key generation or those installed previously, those certificates’ DNs are appended to

the newdn.txt file. After the newdn.txt file is created, a message appears, showing

the current DN that is to be used in all keyadmin commands. This current DN is the

one to be used in the AcceptSecureTransport directive. For information about the

AcceptSecureTransport directive, see AcceptSecureTransport on page A-6.