Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Configure IKEv2 With Certificates Signed by a CA

Organizations that protect a large number of communicating systems typically use public certificates from a certificate authority (CA). For background information, see IKE With Public Key Certificates.

You perform this procedure on all IKE systems that use certificates from a CA.

Before You Begin

To use the certificates, you must have completed How to Create and Use a Keystore for IKEv2 Public Key Certificates.

You must become an administrator who is assigned the Network IPsec Management rights profile. You must be typing in a profile shell. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.

  1. Change to a writable directory.

    The following error message can indicate that the CSR file cannot be written to disk:

    Warning: error accessing "CSR-file"

    For example, use the /tmp directory.

    # cd /tmp
  2. Create a certificate signing request.

    You use the ikev2cert gencsr command to create a certificate signing request (CSR). For a description of the arguments to the command, review the pktool gencsr keystore=pkcs11 subcommand in the pktool(1) man page.

    For example, the following command creates a file that contains the CSR on the host2 system:

    # pfbash
    # /usr/sbin/ikev2cert gencsr \
    label=Example2m \
    outcsr=/tmp/Example2mcsr1 \
    subject="C=US, O=Example2Co\, Inc., OU=US-Example1m, CN=Example1m"
    Enter PIN for Sun Software PKCS#11 softtoken: xxxxxxxx
  3. (Optional) Copy the contents of the CSR for pasting into the CA's web form.
    # cat /tmp/Example2mcsr1
  4. Submit the CSR to a certificate authority (CA).

    The CA can tell you how to submit the CSR. Most organizations have a web site with a submission form. The form requires proof that the submission is legitimate. Typically, you paste your CSR into the form.

    Tip  -  Some web forms have an Advanced button where you can paste your certificate. The CSR is generated in PKCS#10 format. Therefore, find the portion of the web form that mentions PKCS#10.
  5. Import each certificate that you receive from the CA into your keystore.

    The ikev2cert import imports the certificate into the keystore.

    1. Import the public key and certificate that you received from the CA.
      # ikev2cert import objtype=cert label=Example1m1 infile=/tmp/Example1m1Cert

      Tip  -  For administrative convenience, assign the same label to the imported certificate as the label of the original CSR.
    2. Import the root certificate from the CA.
      # ikev2cert import objtype=cert infile=/tmp/Example1m1CAcert
    3. Import any intermediate CA certificates into the keystore.

      Tip  -  For administrative convenience, assign the same label to the imported intermediate certificates as the label of the original CSR.

      If the CA has sent separate files for each intermediate certificate, then import them as you imported the preceding certificates. However, if the CA delivers its certificate chain as a PKCS#7 file, you must extract the individual certificates from the file, then import each certificate as you imported the preceding certificates:

      Note -  You must assume the root role to run the openssl command. See the openssl(5) man page.
      # openssl pkcs7 -in pkcs7-file -print_certs
      # ikev2cert import objtype=cert label=Example1m1 infile=individual-cert
  6. Set the certificate validation policy.

    If the certificate contains sections for CRLs or OCSP, you must configure the certificate validation policy according to your site requirements. For instructions, see How to Set a Certificate Validation Policy in IKEv2.

  7. After you complete the procedure on all IKE systems which use your certificate, enable the ikev2 service on all systems.

    The peer systems need the root certificate and a configured ikev2.config file.

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.