Configuring IKEv1 With Public Key Certificates

Language:

Public key certificates eliminate the need for communicating systems to share secret keying material out of band. Public certificates from a certificate authority (CA) typically require negotiation with an outside organization. The certificates very easily scale to protect a large number of communicating systems.

Public key certificates can also be generated and stored in attached hardware. For the procedure, see Configuring IKEv1 to Find Attached Hardware.

All certificates have a unique name in the form of an X.509 distinguished name (DN). Additionally, a certificate might have one or more subject alternative names, such as an email address, a DNS name, an IP address, and so on. You can identify the certificate in the IKEv1 configuration by its full DN or by one of its subject alternative names. The format of these alternative names is tag=value, where the format of the value corresponds to its tag type. For example, the format of the email tag is name@domain.suffix.

The following task map lists procedures for creating public key certificates for IKEv1. The procedures include how to accelerate and store the certificates on attached hardware..

Table 15 Configuring IKEv1 With Public Key Certificates Task Map

Task	Description	For Instructions
Configure IKEv1 with self-signed public key certificates.	Creates and places keys and two certificates on each system: A self-signed certificate and its keys The public key certificate from the peer system	How to Configure IKEv1 With Self-Signed Public Key Certificates
Configure IKEv1 with a certificate authority.	Creates a certificate signing request, and then places certificates from the CA on each system. See Using Public Key Certificates in IKE.	How to Configure IKEv1 With Certificates Signed by a CA
Configure public key certificates in local hardware.	Involves one of: Generating a self-signed certificate in the local hardware, then adding the public key from a remote system to the hardware. Generating a certificate signing request in the local hardware, then adding the public key certificates from the CA to the hardware.	How to Generate and Store Public Key Certificates for IKEv1 in Hardware
Update the certificate revocation list (CRL) from the CA.	Accesses the CRL from a central distribution point.	How to Handle Revoked Certificates in IKEv1

Note - To label packets and IKE negotiations on a Trusted Extensions system, follow the procedures in Configuring Labeled IPsec in Trusted Extensions Configuration and Administration.

Public key certificates are managed in the global zone on Trusted Extensions systems. Trusted Extensions does not change how certificates are managed and stored.