The certlocal subcommand manages the private-key database in the /etc/inet/secret/ike.privatekeys directory. Options to the subcommand enable you to add, view, and remove private keys. The command also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate, and the -kc option creates a certificate request.
Parameters that you pass to the certlocal subcommand when you create a private key must be reflected in the ike.config file, as shown in the following table.
Table 21–2 Correspondences Between ike certlocal and ike.config Values
certlocal options |
ike.config entry |
Notes |
---|---|---|
-A Subject Alternate Name |
cert_trust Subject Alternate Name |
A nickname that uniquely identifies the certificate. Possible values are IP address, email address, and domain name. |
-D X.509 Distinguished Name |
cert_root X.509 Distinguished Name |
The full name of the certificate authority that includes Country, Organization name, Organizational Unit, and Common Name. |
-t dsa-sha1 |
Slightly slower than RSA. Is not patented. |
|
-t rsa-md5 -t rsa-sha1 |
auth_method rsa_sig |
Slightly faster than DSA. Patent expired in September 2000. The RSA public key must be large enough to encrypt the biggest payload, Typically, an identity payload, such as Distinguished Name, is the biggest. |
-t rsa-md5 -t rsa-sha1 |
RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys. |
If you issue a certificate request with the ikecert certlocal –kc command, you send the output of the command to your vendor. The vendor then creates keying material. You use the vendor's keying material as input to the certdb and certrldb subcommands.