The certlocal subcommand manages the private-key database in the /etc/inet/secret/ike.privatekeys directory. Options to the subcommand enable you to add, view, and remove private keys. The command also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate, and the -kc option creates a certificate request.
When you create a private key, the certlocal subcommand relies on values in the ike/config file. The correspondences between certlocal options and ike/config entries are shown in the following table.
Table 3–2 Correspondences Between ike certlocal and ike/config Values
certlocal options |
ike/config entry |
Notes |
---|---|---|
-A Subject Alternate Name |
cert_trust Subject Alternate Name |
A nickname that uniquely identifies the certificate. Possible values are IP address, email address, and domain name. |
-D X.509 Distinguished Name |
X.509 Distinguished Name |
The full name of the certificate authority that includes Country, Organization name, Organizational Unit, and Common Name. |
-t dsa-sha1 |
Slightly slower than RSA. Is not patented. |
|
-t rsa-md5 -t rsa-sha1 |
auth_method rsa_sig |
Slightly faster than DSA. Patent expired in September 2000. The RSA public key must be large enough to encrypt the biggest payload, Typically, an identity payload, such as Distinguished Name, is the biggest payload. |
-t rsa-md5 -t rsa-sha1 |
RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys. |
If you issue a certificate request with the ikecert certlocal –kc command, you send the output of the command to a PKI organization. If your company runs its own PKI, you send the output to your PKI administrator. The organization or your PKI administrator then creates keying material. You use the keying material that is returned to you as input to the certdb and certrldb subcommands.