Go to main content

man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2017



ikev2cert - manipulate the Internet Key Exchange Version 2 (IKEv2) certificate database


ikev2cert [-f option_file
] [-i] subcommand 
subcommand_options ...


The ikev2cert command is a simple wrapper around pktool(1). It allows users to manipulate the IKEv2 keystore for the user ikeuser, the user id that owns the PKCS#11 IKEv2 keystore and runs the IKEv2 daemon, in.ikev2d(1M). See pkcs11_softtoken(5) for more information on the PKCS#11 keystore.

Because ikev2cert manipulates sensitive keying information, you must be the root user or have the Network IPsec Management rights profile to run this command, using pfexec(1). See the rbac(5) man page.

Options, Subcommands, and Usage

Please refer to pktool(1) for usage. ikev2cert simply runs pktool as ikeuser, provided it has sufficient privilege.

Because pktool(1) is a general purpose tool, and not specifically for use with in.ikev2d(1M), it is possible to generate certificates that are not supported by in.ikev2d(1M). Refer to ikev2.config(4).

Note that the IKEv2 keystore is PKCS#11 based, so commands should be not be run with a keystore keyword other than pkcs11, which is the default keystore type.


Example 1 Generating a Certificate Signing Request (CSR):

The following command generates a CSR:

# ikev2cert gencsr keytype=rsa hash=sha1 keylen=2048 \
format=pem keystore=pkcs11 label='nfs server CSR' \
subject='C=US, ST=MA, O=Oracle, OU=Solaris, CN=nfsserver' \
altname='IP=' outcsr=/my/directory/ikev2host.csr
Example 2 Generating a ECSDA Certificate Signing Request:

The following command generates a ECSDA certificate signing request:

# ikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \
label='source code server' \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
altname='EMAIL=@eng.oracle.com' outcsr=/my/directory/tank.csr

The resulting PKCS#10 encoded CSRs generated in these first two examples should be submitted to a Certificate Authority (CA) for signing. This could be an internal or commercial CA.

Example 3 Importing a Signed certificate into the certificate store:

The following command imports a signed certificate into the certificate store:

# ikev2cert import label='nfs server signed cert' \

This command can also be used to import the CA's public certificate.

Note that the PEM encoded certificate must not contain any text before the BEGIN line or after the END line. Some common utilities may add descriptions.

Example 4 Generating a Self-Signed Certificate:

The following command generates a self-signed certificate:

# ikev2cert gencert keytype=rsa hash=sha1 keylen=2048 \
label='backup server' keystore=pkcs11 serial=0xade6781b \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \
Example 5 Deleting a Certificate as a User who has Been Assigned the Network IPsec Management Rights Profile:

The following command deletes a certificate as a user who has been assigned the Network IPsec Management rights profile:

username$ pfexec /usr/sbin/ikev2cert delete label="backup server"

Enter PIN for Sun Software PKCS#11 softtoken:
1 private key(s) found, do you want to delete them (y/N) ? y
1 public key(s) found, do you want to delete them (y/N) ? y
1 certificate(s) found, do you want to delete them (y/N) ? y
Example 6 Listing Certificates Using Rights Profile:

The following command lists certificates using a rights profile:

username$ pfexec ikev2cert list

Exit Status


Successful completion.


An error occurred. Writes an appropriate error message to the standard error.


See attributes(5) for descriptions of the following attributes:

Interface Stability

See Also

pfexec(1), pktool(1), in.ikev2d(1M), user_attr(4), attributes(5), pkcs11_softtoken(5), rbac(5)