test

IPsec and IKE Administration Guide

How to Generate and Store Public Key Certificates on Hardware

Prerequisites for generating and storing public keys and public key certificates on hardware include the following:

Generating and storing public key certificates on hardware is similar to generating and storing public key certificates on your system. There are two differences:

  1. On the system console, become superuser or assume an equivalent role.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session.

  2. Generate a self-signed certificate or a certificate request, and specify the token ID. Choose one of the following options:

    Note –

    The Sun Crypto Accelerator 4000 board supports keys up to 2048 bits for RSA. For DSA, this board supports keys up to 1024 bits.

    • For a self-signed certificate, use this syntax.


      # ikecert certlocal -ks -m 1024 -t rsa-md5 \
> -D "C=US, O=PartyCompany, OU=US-Partym, CN=Partym" \
> -a -T SUN-4000-stor IP=192.168.116.16
Creating hardware private keys.
Enter PIN for PKCS#11 token: Type user:password
-----BEGIN X509 CERTIFICATE-----
MIIBwjCCASsCBD9bz5swDQYJKoZIhvcNAQEEBQAwKDELMAkGA1UEBhMCVVMxGTAX
…
PiktCuvURc1TXswaFyftzmLKWafUOQ==
-----END X509 CERTIFICATE-----

      The argument to the -T option is the token ID from the attached Sun Crypto Accelerator 4000 board.

    • For a certificate request, use this syntax.


      # ikecert certlocal -kc -m 1024 -t rsa-md5 \
> -D "C=US, O=PartyCompany, OU=US-Partym, CN=Partym" \
> -a -T SUN-4000-stor IP=192.168.116.16
Creating hardware private keys.
Enter PIN for PKCS#11 token: Type user:password
-----BEGIN X509 CERTIFICATE-----
MIIBuDCCASECAQAwSTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFBhcnR5Q29tcGFu
…
oKUDBbZ9O/pLWYGr
-----END X509 CERTIFICATE-----

    For a description of the arguments to the ikecert command, see the ikecert(1M) man page

  3. At the prompt for a PIN, type the Sun Crypto Accelerator 4000 user, a colon, and the user's password.

    If the Sun Crypto Accelerator 4000 board has a user ikemgr whose password is rgm4tigt, you would type the following:


    Enter PIN for PKCS#11 token: ikemgr:rgm4tigt
    Note –

    The PIN response is stored on disk as clear text.

  4. Send your certificate for use by the other party. Choose one of the following options:

    • Send the self-signed certificate to the remote system. You can paste the certificate into an email.

    • Send the certificate request to an organization that handles PKI. Follow the instructions of the PKI organization to submit the certificate request. For a more detailed discussion, see Step 3 of How to Configure IKE With Certificates Signed by a CA.

  5. On your system, edit the /etc/inet/ike/config file to recognize the certificates. Choose one of the following options.

    • For a self-signed certificate, use the values that the administrator of the remote system provides for the cert_trust, remote_id, and remote_addr parameters.

      For example, on the enigma system, the ike/config file would appear similar to the following:


      # Explicitly trust the following self-signed certs
# Use the Subject Alternate Name to identify the cert

cert_trust "192.168.116.16"  Local system's certificate
cert_trust "192.168.13.213"  Remote system's certificate

pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so" Hardware connection
…
{
 label "JA-enigmax to US-partym"
 local_id_type dn
 local_id "C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax"
 remote_id "C=US, O=PartyCompany, OU=US-Partym, CN=Partym"

 local_addr  192.168.116.16
 remote_addr 192.168.13.213

 p1_xform
  {auth_method rsa_encrypt oakley_group 2 auth_alg md5 encr_alg 3des}
}

    • For a certificate request, enter the name that the PKI organization provides as the value for the cert_root keyword.

      For example, the ike/config file on the enigma system might appear similar to the following:


      # Trusted root cert
# This certificate is from Example PKI
# This is the X.509 distinguished name for the CA that it issues.

cert_root "C=US, O=ExamplePKI\, Inc., OU=PKI-Example, CN=Example PKI"

pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so" Hardware connection
…
{
 label "JA-enigmax to US-partym - Example PKI"
 local_id_type dn
 local_id "C=JA, O=EnigmaCo, OU=JA-Enigmax, CN=Enigmax"
 remote_id  "C=US, O=PartyCompany, OU=US-Partym, CN=Partym"

 local_addr  192.168.116.16
 remote_addr 192.168.13.213

 p1_xform
  {auth_method rsa_encrypt oakley_group 2 auth_alg md5 encr_alg 3des}
}

  6. Place the certificates from the other party in the hardware.

    Respond to the PIN request as you responded in Step 3.

    Note –

    You must add the public key certificates to the same attached hardware that generated your private key.

    • For a self-signed certificate, add the remote system's self-signed certificate.


      # ikecert certdb -a -T SUN-4000-stor
Press the Return key
Paste the self-signed certificate
<Control>-D
Enter PIN for PKCS#11 token: Type user:password

      If you used rsa_encrypt as the value for the auth_method parameter for a self-signed certificate, add the peer's certificate to the hardware store.


      # ikecert certdb -a -T SUN-4000-stor
Press the Return key
Paste the peer's certificate
<Control>-D
Enter PIN for PKCS#11 token: Type user:password

    • For certificates from a PKI organization, add the certificate that the organization generated from your certificate request, and add the certificate authority (CA).


      # ikecert certdb -a -T SUN-4000-stor
Press the Return key
Paste the returned certificate
<Control>-D
Enter PIN for PKCS#11 token: Type user:password


      # ikecert certdb -a -T SUN-4000-stor
Press the Return key
Paste the CA certificate
<Control>-D
Enter PIN for PKCS#11 token: Type user:password

      To add a certificate revocation list (CRL) from the PKI organization, see How to Handle a Certificate Revocation List.