HP TMS zl Module Security Administrator's Guide
4-394
Configuring a VPN on the HP TMS zl Module
Manage Certificates
Manage Certificates
If you selected certificates for the IKE authentication method for any of your
VPNs (RSA Signature or DSA Signature), you must set up certificates on the
TSM zl Module.
The module requires:
■ A CA root certificate for the CA that will sign the module’s IPsec certificate
■ A CA root certificate for the CA that will sign the remote endpoints’ IPsec
certificates (often the same CA as the previous certificate)
■ An IPsec certificate for the TMS zl Module
■ An up-to-date certificate revocation list (CRL)
You can install certificates manually or using SCEP (for the latter, the CA must
support SCEP as well). Read the appropriate section:
■ “Install Certificates Manually” on page 4-394
■ “Install Certificates Using SCEP” on page 4-418
Install Certificates Manually
Follow the steps in the sections below to install a certificate manually.
Generate or Install a Private Key
1. In the PCM+ navigation tree, expand the Network Management Home >
Agent Groups > Default Agent Group > Devices > TMS zl. folders.
• Dynamic
routing over the
tunnel
• Default policies
disabled
Multicast Tunnel SELF OSPF or RIP 6 Any Address
or multicast
address
—1
• Dynamic
routing over the
tunnel
• Default policies
disabled
Multicast SELF Tunnel OSPF or RIP 5 Any Address
or multicast
address
—1
When Required Ty pe From Zone To Zone Service Source Destination MSS Number of
policies