Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Configuring IKEv1 With Public Key Certificates

Public key certificates eliminate the need for communicating systems to share secret keying material out of band. Public certificates from a certificate authority (CA) typically require negotiation with an outside organization. The certificates very easily scale to protect a large number of communicating systems.

Public key certificates can also be generated and stored in attached hardware. For the procedure, see Configuring IKEv1 to Find Attached Hardware.

All certificates have a unique name in the form of an X.509 distinguished name (DN). Additionally, a certificate might have one or more subject alternative names, such as an email address, a DNS name, an IP address, and so on. You can identify the certificate in the IKEv1 configuration by its full DN or by one of its subject alternative names. The format of these alternative names is tag=value, where the format of the value corresponds to its tag type. For example, the format of the email tag is name@domain.suffix.

The following task map lists procedures for creating public key certificates for IKEv1. The procedures include how to accelerate and store the certificates on attached hardware..

Table 15  Configuring IKEv1 With Public Key Certificates Task Map
Task
Description
For Instructions
Configure IKEv1 with self-signed public key certificates.
Creates and places keys and two certificates on each system:
  • A self-signed certificate and its keys

  • The public key certificate from the peer system

Configure IKEv1 with a certificate authority.
Creates a certificate signing request, and then places certificates from the CA on each system. See Using Public Key Certificates in IKE.
Configure public key certificates in local hardware.
Involves one of:
  • Generating a self-signed certificate in the local hardware, then adding the public key from a remote system to the hardware.

  • Generating a certificate signing request in the local hardware, then adding the public key certificates from the CA to the hardware.

Update the certificate revocation list (CRL) from the CA.
Accesses the CRL from a central distribution point.

Note -  To label packets and IKE negotiations on a Trusted Extensions system, follow the procedures in Configuring Labeled IPsec in Trusted Extensions Configuration and Administration.

Public key certificates are managed in the global zone on Trusted Extensions systems. Trusted Extensions does not change how certificates are managed and stored.