ikev2cert - manipulate the Internet Key Exchange Version 2 (IKEv2) certificate database
ikev2cert [-f option_file] [-i] subcommand subcommand_options ...
The ikev2cert command is a simple wrapper around pktool(1). It allows users to manipulate the IKEv2 keystore for the user ikeuser, the user id that owns the PKCS#11 IKEv2 keystore and runs the IKEv2 daemon, in.ikev2d(8). See pkcs11_softtoken(7) for more information on the PKCS#11 keystore.
Because ikev2cert manipulates sensitive keying information, you must be the root user or have the Network IPsec Management rights profile to run this command, using pfexec(1). See the rbac(7) man page.
Please refer to pktool(1) for usage. ikev2cert simply runs pktool as ikeuser, provided it has sufficient privilege.
Because pktool(1) is a general purpose tool, and not specifically for use with in.ikev2d(8), it is possible to generate certificates that are not supported by in.ikev2d(8). The certificate type and parameters chosen must be appropriate for the authentication method configured for in.ikev2d. Refer to ikev2.config(5) for a list of available authentication methods.
Elliptic Curve certificates must be generated using one of the secp256r1, secp384r1, or secp521r1 curve parameters in order to be supported in IKEv2.
Note that the IKEv2 keystore is PKCS#11 based, so commands should be not be run with a keystore keyword other than pkcs11, which is the default keystore type.
The following command generates a CSR.
# ikev2cert gencsr keytype=rsa hash=sha256 keylen=4096 \
format=pem keystore=pkcs11 label='nfs server CSR' \
subject='C=US, ST=MA, O=Oracle, OU=Solaris, CN=nfsserver' \
altname='IP=10.0.0.1' outcsr=/my/directory/ikev2host.csr
Example 2 Generating a ECSDA Certificate Signing Request
The following command generates a ECSDA certificate signing request.
# ikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \
label='source code server' \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
altname='EMAIL=@eng.example.com' outcsr=/my/directory/tank.csr
The resulting PKCS#10 encoded CSRs generated in these first two examples should be submitted to a Certificate Authority (CA) for signing. This could be an internal or commercial CA.
Example 3 Importing a Signed certificate into the certificate storeThe following command imports a signed certificate into the certificate store.
# ikev2cert import label='nfs server signed cert' \ infile=/my/directory/ikev2host.csr.signed
This command can also be used to import the CA's public certificate.
Note that the PEM encoded certificate must not contain any text before the BEGIN line or after the END line. Some common utilities may add descriptions.
Example 4 Generating a Self-Signed CertificateThe following command generates a self-signed certificate.
# ikev2cert gencert keytype=rsa hash=sha256 keylen=4096 \
label='backup server' keystore=pkcs11 serial=0xade6781b \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \
altname='EMAIL=backup.selfsigned@example.com'
Example 5 Deleting a Certificate Using Rights Profile
The following command deletes a certificate as a user who has been assigned the Network IPsec Management rights profile.
username$ pfexec /usr/sbin/ikev2cert delete label="backup server" Enter PIN for Sun Software PKCS#11 softtoken: 1 private key(s) found, do you want to delete them (y/N) ? y 1 public key(s) found, do you want to delete them (y/N) ? y 1 certificate(s) found, do you want to delete them (y/N) ? yExample 6 Listing Certificates Using Rights Profile
The following command lists certificates using a rights profile.
username$ pfexec ikev2cert list
Successful completion.
An error occurred. Writes an appropriate error message to standard error.
See attributes(7) for descriptions of the following attributes:
|
pfexec(1), pktool(1), user_attr(5), attributes(7), pkcs11_softtoken(7), rbac(7), in.ikev2d(8)