IKE Public Key Databases and Commands (IPsec and IKE Administration Guide)

IPsec and IKE Administration Guide

IKE Public Key Databases and Commands

The ikecert command manipulates the local system's publickey databases. You use this command when the ike/config file requires public key certificates. Because IKE uses these databases to authenticate the Phase 1 exchange, the databases must be populated before activating the in.iked daemon. Three subcommands handle each of the three databases: certlocal, certdb, and certrldb.

The ikecert command also handles key storage on the Sun Crypto Accelerator 4000 board. The tokens argument to the ikecert command lists the token IDs that are available on the board. The command finds the board through the PKCS #11 library that is specified in the /etc/inet/ike/config file. The PKCS #11 entry must be present. Otherwise, the -T option to the ikecert commands cannot work. The entry appears similar to the following:

pkcs11_path "/opt/SUNWconn/lib/libpkcs11.so"

For more information, see the ikecert(1M) man page.

`ikecert tokens` Command

The tokens argument lists the token IDs that are available on the Sun Crypto Accelerator 4000 board. Token IDs enable the ikecert certlocal and ikecert certdb commands to generate public key certificates and certificate requests on the board.

`ikecert certlocal` Command

The certlocal subcommand manages the private-key database. Options to this subcommand enable you to add, view, and remove private keys. This subcommand also creates either a self-signed certificate or a certificate request. The -ks option creates a self-signed certificate. The -kc option creates a certificate request. Keys are stored on the system in the /etc/inet/secret/ike.privatekeys directory, or on attached hardware with the -T option..

When you create a private key, the ikecert command relies on entries in the ike/config file. The correspondences between ikecert options and ike/config entries are shown in the following table.

Table 3–2 Correspondences Between ikecert Options and ike/config Entries


`ikecert` Options	`ike/config` Entry	Notes
`-A` `subject-alternate-name`	`cert_trust` `subject-alternate-name`	A nickname that uniquely identifies the certificate. Possible values are an IP address, an email address, or a domain name.
`-D` `X.509-distinguished-name`	`X.509-distinguished-name`	The full name of the certificate authority that includes the Country, Organization name, Organizational Unit, and Common Name.
`-t dsa-sha1`	`auth_method dss_sig`	An authentication method that is slightly slower than RSA. Is not patented.
`-t rsa-md5`, and `-t rsa-sha1`	`auth_method rsa_sig`	An authentication method that is slightly faster than DSA. Patent expired in September 2000. The RSA public key must be large enough to encrypt the biggest payload. Typically, an identity payload, such as the X.509 distinguished name, is the biggest payload.
`-t rsa-md5`, and `-t rsa-sha1`	`auth_method rsa_encrypt`	RSA encryption hides identities in IKE from eavesdroppers, but requires that the IKE peers know each other's public keys.
`-T`	`pkcs11_path`	The PKCS #11 library handles key acceleration on the Sun Crypto Accelerator 1000 board and the Sun Crypto Accelerator 4000 board. The library also provides the tokens that handle key storage on the Sun Crypto Accelerator 4000 board.

If you issue a certificate request with the ikecert certlocal –kc command, you send the output of the command to a PKI organization or a certificate authority (CA). If your company runs its own PKI, you send the output to your PKI administrator. The PKI organization, the CA, or your PKI administrator then creates certificates. The certificates that the PKI or CA returns to you are input to the certdb subcommand. The CRL that the PKI returns to you is input for the certrldb subcommand.

`ikecert certdb` Command

The certdb subcommand manages the publickey database. Options to the subcommand enable you to add, view, and remove certificates and public keys. The command accepts, as input, certificates that were generated by the ikecert certlocal –ks command on a remote system. See How to Configure IKE With Self-Signed Public Key Certificates for the procedure. This command also accepts the certificate that you receive from a PKI or CA as input. See How to Configure IKE With Certificates Signed by a CA for the procedure.

On the system, the certificates and public keys are stored in the /etc/inet/ike/publickeys directory. The -T option stores the certificates, private keys, and public keys on attached hardware.

`ikecert certrldb` Command

The certrldb subcommand manages the certificate revocation list (CRL) database, /etc/inet/ike/crls. The crls database maintains the revocation lists for public keys. Certificates that are no longer valid are on this list. When PKIs provide you with CRLs, you install the CRLs in the CRL database with the ikecert certrldb command. See How to Handle a Certificate Revocation List for the procedure.

`/etc/inet/ike/publickeys` Directory

The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or slots. The /etc/inet/ike directory is protected at 0755. The ikecert certdb command populates the directory. The -T option stores the keys on the Sun Crypto Accelerator 4000 board rather than in the publickeys directory.

The slots contain, in encoded form, the X.509 distinguished name of a certificate that was generated on another system. If you are using self-signed certificates, you use the certificate that you receive from the administrator of the remote system as input to the command. If you are using certificates from a PKI, you install two pieces of keying material from the PKI into this database. You install a certificate that is based on material that you sent to the PKI. You also install a CA from the PKI.

`/etc/inet/secret/ike.privatekeys` Directory

The /etc/inet/secret/ike.privatekeys directory holds private key files that are part of a public-private key pair, which is keying material for ISAKMP SAs. The directory is protected at 0700. The ikecert certlocal command populates the ike.privatekeys directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed. The public key counterparts are stored in the /etc/inet/ike/publickeys directory or on a Sun Crypto Accelerator 4000 board.

`/etc/inet/ike/crls` Directory

The /etc/inet/ike/crls directory contains certificate revocation list (CRL) files. Each file corresponds to a public certificate file in the /etc/inet/ike/publickeys directory. PKI organizations provide the CRLs for their certificates. You use the ikecert certrldb command to populate the database.