Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021
 
 

How to Configure IKEv2 With Certificates Signed by a CA

Organizations that protect a large number of communicating systems typically use public certificates from a certificate authority (CA). For background information, see IKE With Public Key Certificates.

You perform this procedure on all IKE systems that use certificates from a CA.

Before You Begin

To use the certificates, you must have completed How to Create and Use a Keystore for IKEv2 Public Key Certificates.

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

If you administer remotely, see Example 19, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.4 for secure remote login instructions.

  1. Change to a writable directory.

    The following error message can indicate that the CSR file cannot be written to disk: 

    Warning: error accessing "CSR-file"

    For example, use the /tmp directory.

    # cd /tmp
  2. Create a certificate signing request.

    You use the ikev2cert gencsr command to create a certificate signing request (CSR). For a description of the arguments to the command, review the pktool gencsr keystore=pkcs11 subcommand in the pktool(1) man page.

    For example, the following command creates a file that contains the CSR on the host2 system:

    # pfbash
# /usr/sbin/ikev2cert gencsr \
keytype=rsa
keylen=2048
label=Example2m \
outcsr=/tmp/Example2mcsr1 \
subject="C=US, O=Example2Co\, Inc., OU=US-Example1m, CN=Example1m"
Enter PIN for Sun Software PKCS#11 softtoken: xxxxxxxx
  3. (Optional) Copy the contents of the CSR for pasting into the CA's web form. 
    # cat /tmp/Example2mcsr1
-----BEGIN CERTIFICATE REQUEST-----
MIICkDCCAXoCAQAwTzELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElBhcnR5Q29tcGFu
eSwgSW5jLjESMBAGA1UECxMJVVMtUGFydHltMQ8wDQYDVQQDEwZQYXJ0eW0wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCMbINmgZ4XWUv2q1fshZUN/SLb
WNLXZxdKwt5e71o0owjyby69eL7HE0QBUij73nTkXE3n4gxojBZE+hvJ6GOCbREA
jgSquP2US7Bn9XEcXRrsOc7MCFPrsA+hVIcNHpKNseUOU/rg+wzoo5hA1ixtWuXH
bYDeEWQi5tlZgDZoCWGrdHEjwVyHfvz+a0WBjyZBYOueBhXaa68QqSOSnRVDX56Q
3p4H/AR4h0dcSja72XmMKPU5p3RVb8n/hrfKjiDjiGYXD4D+WZxQ65xxCcnALvVH
nZHUlAtP7QHX4RXlQVNNwEsY6C95RX9297rNWLsYvp/86xWrQkTlNqVAeUKhAgMB
AAEwCwYJKoZIhvcNAQEFA4IBAQB3R6rmZdqcgN8Tomyjp2CFTdyAWixkIATXpLM1
GL5ghrnDvadD61M+vS1yhFlIcSNM8fLRrCHIKtAmB8ITnggJ//rzbHq3jdla/iQt
kgGoTXfz8j6B57Ud6l+MBLiBSBy0QK4GIg8Ojlb9Kk5HsZ48mIoI/Qb7FFW4p9dB
JEUn0eYhkaGtwJ21YNNvKgOeOcnSZy+xP9Wa9WpfdsBO4TicLDw0Yq7koNnfL0IB
Fj2bt/wI7iZ1DcpwphsiwnW9K9YynAJZzHd1ULVpn5Kd7vSRz9youLLzSb+9ilgO
E43DW0hRk6P/Uq0N4e1Zca4otezNxyEqlPZI7pJ5uOo0sbiw
-----END CERTIFICATE REQUEST-----
  4. Submit the CSR to a certificate authority (CA).

    The CA can tell you how to submit the CSR. Most organizations have a web site with a submission form. The form requires proof that the submission is legitimate. Typically, you paste your CSR into the form.

    Tip  -  Some web forms have an Advanced button where you can paste your certificate. The CSR is generated in PKCS#10 format. Therefore, find the portion of the web form that mentions PKCS#10.
  5. Import each certificate that you receive from the CA into your keystore.

    The ikev2cert import imports the certificate into the keystore.

    1. Import the public key and certificate that you received from the CA. 
      # ikev2cert import objtype=cert label=Example1m1 infile=/tmp/Example1m1Cert
      Tip  -  For administrative convenience, assign the same label to the imported certificate as the label of the original CSR.
    2. Import the root certificate from the CA. 
      # ikev2cert import objtype=cert infile=/tmp/Example1m1CAcert
    3. Import any intermediate CA certificates into the keystore.
      Tip  -  For administrative convenience, assign the same label to the imported intermediate certificates as the label of the original CSR.

      If the CA has sent separate files for each intermediate certificate, then import them as you imported the preceding certificates. However, if the CA delivers its certificate chain as a PKCS#7 file, you must extract the individual certificates from the file, then import each certificate as you imported the preceding certificates:

      Note -  You must assume the root role to run the openssl command. See the openssl(7) man page. 
      # openssl pkcs7 -in pkcs7-file -print_certs
# ikev2cert import objtype=cert label=Example1m1 infile=individual-cert
  6. Set the certificate validation policy.

    If the certificate contains sections for CRLs or OCSP, you must configure the certificate validation policy according to your site requirements. For instructions, see How to Set a Certificate Validation Policy in IKEv2.

  7. After you complete the procedure on all IKE systems which use your certificate, enable the ikev2 service on all systems.

    The peer systems need the root certificate and a configured ikev2.config file.

Example 32  Using a FIPS 140-2 Approved ECC Algorithm in an IKEv2 CSR

The following excerpt from an ikev2cert command generates a certificate request with one of the FIPS 140-2 approved ECC algorithms, using curve secp521r1 and hash sha512:

# ikev2cert gencsr label=FIPSokcsr \
    subject="C=Country, O=Company\, Inc., OU=CompanyServer, CN=Server" \
    keytype=ec curve=secp521r1 hash=sha512 \
    outcsr=/tmp/FIPSokcsr

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.

Copyright © 1999, 2021, Oracle and/or its affiliates.  
Previous
Next