The kmf-policy.xml file contains the certificate validation policy for IKEv2. The kmfcfg dbfile=/etc/inet/ike/kmf-policy.xml policy=default command is used to modify certificate validation policy. Typical modifications include the use of OCSP and CRLs, and the duration of network timeouts during certificate verification. Additionally, the policy enables an administrator to modify various aspects of certificate validation, such as validity date enforcement and key usage requirements. Loosening the default requirements for certificate validation is not recommended.