System Administration Guide: IP Services

ikecert certlocal Command

The certlocal subcommand manages the private key database. Options to this subcommand enable you to add, view, and remove private keys. This subcommand also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate. The -kc option creates a certificate request. Keys are stored on the system in the /etc/inet/secret/ike.privatekeys directory, or on attached hardware with the -T option.

When you create a private key, the options to the ikecert certlocal command must have related entries in the ike/config file. The correspondences between ikecert options and ike/config entries are shown in the following table.

Table 24–1 Correspondences Between ikecert Options and ike/config Entries

ikecert Option

ike/config Entry


-A subject-alternate-name

cert_trust subject-alternate-name

A nickname that uniquely identifies the certificate. Possible values are an IP address, an email address, or a domain name. 

-D X.509-distinguished-name


The full name of the certificate authority that includes the country (C), organization name (ON), organizational unit (OU), and common name (CN). 

-t dsa-sha1

auth_method dss_sig

An authentication method that is slightly slower than RSA.

-t rsa-md5 and

-t rsa-sha1

auth_method rsa_sig

An authentication method that is slightly faster than DSA.

The RSA public key must be large enough to encrypt the biggest payload. Typically, an identity payload, such as the X.509 distinguished name, is the biggest payload.

-t rsa-md5 and

-t rsa-sha1

auth_method rsa_encrypt

RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys. 



The PKCS #11 library handles key acceleration on the Sun Crypto Accelerator 1000 board, the Sun Crypto Accelerator 6000 board, and the Sun Crypto Accelerator 4000 board. The library also provides the tokens that handle key storage on the Sun Crypto Accelerator 6000 and Sun Crypto Accelerator 4000 boards.

If you issue a certificate request with the ikecert certlocal -kc command, you send the output of the command to a PKI organization or to a certificate authority (CA). If your company runs its own PKI, you send the output to your PKI administrator. The PKI organization, the CA, or your PKI administrator then creates certificates. The certificates that the PKI or CA returns to you are input to the certdb subcommand. The certificate revocation list (CRL) that the PKI returns to you is input for the certrldb subcommand.