How to Configure IKE With Self-Signed Public Certificates (System Administration Guide: IP Services)

System Administration Guide: IP Services

How to Configure IKE With Self-Signed Public Certificates

Become superuser on the system console.

Note –
Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.

Use the ikecert certlocal -ks command to add a self-signed certificate to the ike.privatekeys database. For example,

# ikecert certlocal -ks -m 1024 -t rsa-md5 \
-D "C=US, O=ExampleCompany, OU=US-Example, CN=Example" \
-A IP=192.168.10.242
Generating, please wait...
Certificate: 
Certificate generated.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

Send the certificate to the communicating system's administrator.

You can cut-and-paste the certificate into an email, as in:

To: root@us.example.com
From: root@un.example.com
Message: -----BEGIN X509 CERTIFICATE-----
MIICLTCCAZagAwIBAgIBATANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJVUzEX
…
6sKTxpg4GP3GkQGcd0r1rhW/3yaWBkDwOdFCqEUyffzU
-----END X509 CERTIFICATE-----

Edit the /etc/inet/ike/config file to recognize the public keys from a communicating system. For example,

# Explicitly trust the following self-signed certs
# Use the Subject Alternate Name to identify the cert

cert_trust "192.168.10.242"
cert_trust "192.168.11.241"

## Parameters that may also show up in rules.

p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 5

{
 label "UN-Example to US-Example"
 local_id_type dn
 local_id "C=US, O=ExampleCompany, OU=UN-Example, CN=Example"
 remote_id_type dn
 remote_id "C=US, O=ExampleCompany, OU=US-Example, CN=Example"

 local_addr 192.168.10.242
 remote_addr 192.168.11.241

 p1_xform
  { auth_method rsa_encrypt oakley_group 2  auth_alg md5  encr_alg des }
}

Do the following substeps to add the communicating system's public key.
1. Copy the public key from the administrator's email.
2. Type the ikecert certdb –a command and type <Return>.
  # ikecert certdb -a <Return>
3. Paste the public key and type <Return>.
  -----BEGIN X509 CERTIFICATE----- MIICL… … KgDid/nxWPlWQU5vMAiwJXfa0sw/A12w448JVkVmEWaf -----END X509 CERTIFICATE----- <Return>
4. End the entry by typing <Control-D>.
  <Control-D>

Verify with the other administrator that the keys have not been tampered with.

For example, you can phone the other administrator to compare the values of the public key hash, as in,

# ikecert certdb -l
        Certificate Slot Name: 0   Type: if-modn
        Subject Name: <C=US, O=ExampleCo, OU=UN-Example, CN=Example>
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818

other system # ikecert certlocal -l
Local ID Slot Name: 1   Type: if-modn
        Key Size: 1024
        Public key hash: 2239A6A127F88EE0CB40F7C24A65B818

Note –

The public key hash above is different from the one that your systems generate.