How to Generate and Store Public Key Certificates for IKEv2 in Hardware

Language:

Public key certificates can also be stored on attached hardware. The Sun Crypto Accelerator 6000 board provides storage and enables public key operations to be offloaded from the system to the board.

Generating and storing public key certificates on hardware is similar to generating and storing public key certificates on your system. On hardware, the ikev2cert gencert token=hw-keystore command is used to identify the hardware keystore.

Before You Begin

This procedure assumes that a Sun Crypto Accelerator 6000 board is attached to the system. The procedure also assumes that the software for the board has been installed and that the hardware keystore has been configured. For instructions, see the Sun Crypto Accelerator 6000 Board Product Library Documentation (https://docs.oracle.com/cd/E19321-01/index.html). These instructions include setting up the keystore.

You must become an administrator who is assigned the Network IPsec Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

If you administer remotely, see Example 31, Configuring IPsec Policy Remotely by Using an ssh Connection and How to Remotely Administer ZFS With Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3 for secure remote login instructions.

Confirm that you have a token ID for the attached Sun Crypto Accelerator 6000 board.

# pfbash
# ikev2cert tokens

Flags: L=Login required I=Initialized X=User PIN expired S=SO PIN expired
Slot ID  Slot Name                         Token Name                        Flags
-------  ---------                         ----------                        -----
1        sca6000                           sca6000                           LI
2        n2cp/0 Crypto Accel Bulk 1.0      n2cp/0 Crypto Accel Bulk 1.0
3        ncp/0 Crypto Accel Asym 1.0       ncp/0 Crypto Accel Asym 1.0
4        n2rng/0 SUNW_N2_Random_Number_Ge  n2rng/0 SUNW_N2_RNG
5        Sun Crypto Softtoken              Sun Software PKCS#11 softtoken    LI

Generate a self-signed certificate or a CSR, and specify the token ID.
Note - The Sun Crypto Accelerator 6000 board supports keys up to 2048 bits for RSA. For DSA, this board supports keys up to 1024 bits.

Choose one of the following options:
- For a self-signed certificate, use this syntax:
```
# ikev2cert gencert token=sca6000 keytype=rsa \
hash=sha256 keylen=2048 \
subject="CN=FortKnox, C=US" serial=0x6278281232 label=goldrepo
Enter PIN for sca6000: See Step 3
```
- For a certificate signing request, use this syntax:
```
# ikev2cert gencsr token=sca6000 -i
> keytype=
> hash=
> keylen=
> subject=
> serial=
> label=
> outcsr=
Enter PIN for sca6000 token: See Step 3
```
For a description of the arguments to the ikev2cert command, see the pktool(1) man page.

At the prompt for a PIN, type the Sun Crypto Accelerator 6000 user name, a colon, and the user's password.
Note - You must know the user name and the password for the keystore.

If the Sun Crypto Accelerator 6000 board is configured with a user admin whose password is inThe%4ov, you would type the following:
```
Enter PIN for sca6000 token: admin:inThe%4ov
-----BEGIN X509 CERTIFICATE-----
MIIBuDCCASECAQAwSTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFBhcnR5Q29tcGFu
…
oKUDBbZ9O/pLWYGr
-----END X509 CERTIFICATE-----
```
Send your certificate for use by the other party.
Choose one of the following options:
- Send the self-signed certificate to the remote system.
  You can paste the certificate into an email message.
- Send the certificate signing request to the CA.
  Follow the instructions of the CA to submit the CSR. For a more detailed discussion, see Using Public Key Certificates in IKE.

Import the certificates into the hardware keystore.

Import the certificates that you received from the CA and provide the user and PIN from Step 3.

# ikev2cert import token=sca6000 infile=/tmp/DCA.ACCEL.CERT1
Enter PIN for sca6000 token: Type user:password
# ikev2cert import token=sca6000 infile=/tmp/DCA.ACCEL.CA.CERT
Enter PIN for sca6000 token: Type user:password

Enable the hardware keystore to be used automatically or interactively.
Automatic login is preferred. If site security policy does not permit automatic login, you must interactively log in to the keystore when the in.ikev2d daemon is restarted.
- Configure automatic login to the keystore.
  1. Add the PIN as the value for the pkcs11_token/uri service property.
    For a description of this property, see IKEv2 Service.
```
# svccfg -s ike:ikev2 editprop
```
    A temporary edit window opens.
  2. Uncomment the setprop pkcs11_token/uri = line and replace the parentheses with the name of the token in the following format:
```
# setprop pkcs11_token/uri = () Original entry
setprop pkcs11_token/uri = pkcs11:token=sca6000
```
  3. Uncomment the setprop pkcs11_token/pin = line and replace the parentheses with the username:PIN from Step 3.
```
# setprop pkcs11_token/pin = () Original entry
setprop pkcs11_token/pin = admin:PIN-from-Step-3
```
  4. Uncomment the refresh line at the bottom of the file, then save your changes.
```
# refresh
refresh
```
  5. (Optional) Verify the value of the pkcs11_token properties.
```
# svccfg -s ikev2 listprop pkcs11_token
pkcs11_token/pin     astring  username:PIN
pkcs11_token/uri     astring  pkcs11:token=sca6000
```
- If automatic login is not configured, log in to the hardware keystore manually.
  Run this command each time the in.ikev2d daemon starts.
```
# pfexec ikeadm -v2 token login sca6000
Enter PIN for sca6000 token: admin:PIN-from-Step-3
ikeadm: sca6000 operation successful
```

Next Steps

If you have not completed establishing IPsec policy, return to the IPsec procedure to enable or refresh IPsec policy. For examples of IPsec policy protecting VPNs, see Protecting a VPN With IPsec. For other examples of IPsec policy, see How to Secure Network Traffic Between Two Servers With IPsec.