System Administration Guide: IP Services

ikecert certlocal Command

The certlocal subcommand manages the private-key database in the /etc/inet/secret/ike.privatekeys directory. Options to the subcommand enable you to add, view, and remove private keys. The command also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate, and the -kc option creates a certificate request.

Parameters that you pass to the certlocal subcommand when you create a private key must be reflected in the ike.config file, as shown in the following table.

Table 21–2 Correspondences Between ike certlocal and ike.config Values

certlocal options

ike.config entry


-A Subject Alternate Name

cert_trust Subject Alternate Name

A nickname that uniquely identifies the certificate. Possible values are IP address, email address, and domain name. 

-D X.509 Distinguished Name

cert_root X.509 Distinguished Name

The full name of the certificate authority that includes Country, Organization name, Organizational Unit, and Common Name. 

-t dsa-sha1

auth_method dss_sig

Slightly slower than RSA. Is not patented. 

-t rsa-md5

-t rsa-sha1

auth_method rsa_sig

Slightly faster than DSA. Patent expired in September 2000. 

The RSA public key must be large enough to encrypt the biggest payload, Typically, an identity payload, such as Distinguished Name, is the biggest. 

-t rsa-md5

-t rsa-sha1

auth_method rsa_encrypt

RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys. 

If you issue a certificate request with the ikecert certlocal –kc command, you send the output of the command to your vendor. The vendor then creates keying material. You use the vendor's keying material as input to the certdb and certrldb subcommands.