Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

Configuring IKEv1 With Public Key Certificates

Public key certificates eliminate the need for communicating systems to share secret keying material out of band. Public certificates from a certificate authority (CA) typically require negotiation with an outside organization. The certificates very easily scale to protect a large number of communicating systems.

All certificates have a unique name in the form of an X.509 distinguished name (DN). Additionally, a certificate might have one or more subject alternative names, such as an email address, a DNS name, an IP address, and so on. You can identify the certificate in the IKEv1 configuration by its full DN or by one of its subject alternative names. The format of these alternative names is tag=value, where the format of the value corresponds to its tag type. For example, the format of the email tag is name@domain.suffix.

The following task map lists procedures for creating public key certificates for IKEv1.

Table 11  Configuring IKEv1 With Public Key Certificates Task Map
Task
Description
For Instructions
Configure IKEv1 with self-signed public key certificates.
Creates and places keys and two certificates on each system:
  • A self-signed certificate and its keys

  • The public key certificate from the peer system

Configure IKEv1 with a certificate authority.
Creates a certificate signing request, and then places certificates from the CA on each system. See Using Public Key Certificates in IKE.
Update the certificate revocation list (CRL) from the CA.
Accesses the CRL from a central distribution point.

Note -  To label packets and IKE negotiations on a Trusted Extensions system, follow the procedures in Configuring Labeled IPsec in Trusted Extensions Configuration and Administration.

Public key certificates are managed in the global zone on Trusted Extensions systems. Trusted Extensions does not change how certificates are managed and stored.