Organizations that protect a large number of communicating systems typically use public certificates from a certificate authority (CA). For background information, see IKE With Public Key Certificates.
You perform this procedure on all IKE systems that use certificates from a CA.
Before You Begin
To use the certificates, you must have completed How to Create and Use a Keystore for IKEv2 Public Key Certificates.
You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
If you administer remotely, see Example 19, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4 for secure remote login instructions.
The following error message can indicate that the CSR file cannot be written to disk:
Warning: error accessing "CSR-file"
For example, use the /tmp directory.
# cd /tmp
You use the ikev2cert gencsr command to create a certificate signing request (CSR). For a description of the arguments to the command, review the pktool gencsr keystore=pkcs11 subcommand in the pktool(1) man page.
For example, the following command creates a file that contains the CSR on the host2 system:
# pfbash # /usr/sbin/ikev2cert gencsr \ keytype=rsa keylen=2048 label=Example2m \ outcsr=/tmp/Example2mcsr1 \ subject="C=US, O=Example2Co\, Inc., OU=US-Example1m, CN=Example1m" Enter PIN for Sun Software PKCS#11 softtoken: xxxxxxxx
# cat /tmp/Example2mcsr1 -----BEGIN CERTIFICATE REQUEST----- MIICkDCCAXoCAQAwTzELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElBhcnR5Q29tcGFu eSwgSW5jLjESMBAGA1UECxMJVVMtUGFydHltMQ8wDQYDVQQDEwZQYXJ0eW0wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMbINmgZ4XWUv2q1fshZUN/SLb WNLXZxdKwt5e71o0owjyby69eL7HE0QBUij73nTkXE3n4gxojBZE+hvJ6GOCbREA jgSquP2US7Bn9XEcXRrsOc7MCFPrsA+hVIcNHpKNseUOU/rg+wzoo5hA1ixtWuXH bYDeEWQi5tlZgDZoCWGrdHEjwVyHfvz+a0WBjyZBYOueBhXaa68QqSOSnRVDX56Q 3p4H/AR4h0dcSja72XmMKPU5p3RVb8n/hrfKjiDjiGYXD4D+WZxQ65xxCcnALvVH nZHUlAtP7QHX4RXlQVNNwEsY6C95RX9297rNWLsYvp/86xWrQkTlNqVAeUKhAgMB AAEwCwYJKoZIhvcNAQEFA4IBAQB3R6rmZdqcgN8Tomyjp2CFTdyAWixkIATXpLM1 GL5ghrnDvadD61M+vS1yhFlIcSNM8fLRrCHIKtAmB8ITnggJ//rzbHq3jdla/iQt kgGoTXfz8j6B57Ud6l+MBLiBSBy0QK4GIg8Ojlb9Kk5HsZ48mIoI/Qb7FFW4p9dB JEUn0eYhkaGtwJ21YNNvKgOeOcnSZy+xP9Wa9WpfdsBO4TicLDw0Yq7koNnfL0IB Fj2bt/wI7iZ1DcpwphsiwnW9K9YynAJZzHd1ULVpn5Kd7vSRz9youLLzSb+9ilgO E43DW0hRk6P/Uq0N4e1Zca4otezNxyEqlPZI7pJ5uOo0sbiw -----END CERTIFICATE REQUEST-----
The CA can tell you how to submit the CSR. Most organizations have a web site with a submission form. The form requires proof that the submission is legitimate. Typically, you paste your CSR into the form.
The ikev2cert import imports the certificate into the keystore.
# ikev2cert import objtype=cert label=Example1m1 infile=/tmp/Example1m1Cert
# ikev2cert import objtype=cert infile=/tmp/Example1m1CAcert
If the CA has sent separate files for each intermediate certificate, then import them as you imported the preceding certificates. However, if the CA delivers its certificate chain as a PKCS#7 file, you must extract the individual certificates from the file, then import each certificate as you imported the preceding certificates:
# openssl pkcs7 -in pkcs7-file -print_certs # ikev2cert import objtype=cert label=Example1m1 infile=individual-cert
If the certificate contains sections for CRLs or OCSP, you must configure the certificate validation policy according to your site requirements. For instructions, see How to Set a Certificate Validation Policy in IKEv2.
The peer systems need the root certificate and a configured ikev2.config file.
The following excerpt from an ikev2cert command generates a certificate request with one of the FIPS 140-2 approved ECC algorithms, using curve secp521r1 and hash sha512:
# ikev2cert gencsr label=FIPSokcsr \ subject="C=Country, O=Company\, Inc., OU=CompanyServer, CN=Server" \ keytype=ec curve=secp521r1 hash=sha512 \ outcsr=/tmp/FIPSokcsr
If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.