Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022



ikev2cert - manipulate the Internet Key Exchange Version 2 (IKEv2) certificate database


ikev2cert [-f option_file] [-i] subcommand subcommand_options ...


The ikev2cert command is a simple wrapper around pktool(1). It allows users to manipulate the IKEv2 keystore for the user ikeuser, the user id that owns the PKCS#11 IKEv2 keystore and runs the IKEv2 daemon, in.ikev2d(8). See pkcs11_softtoken(7) for more information on the PKCS#11 keystore.

Because ikev2cert manipulates sensitive keying information, you must be the root user or have the Network IPsec Management rights profile to run this command, using pfexec(1). See the rbac(7) man page.

Options, Subcommands, Usage

Please refer to pktool(1) for usage. ikev2cert simply runs pktool as ikeuser, provided it has sufficient privilege.

Because pktool(1) is a general purpose tool, and not specifically for use with in.ikev2d(8), it is possible to generate certificates that are not supported by in.ikev2d(8). The certificate type and parameters chosen must be appropriate for the authentication method configured for in.ikev2d. Refer to ikev2.config(5) for a list of available authentication methods.

Elliptic Curve certificates must be generated using one of the secp256r1, secp384r1, or secp521r1 curve parameters in order to be supported in IKEv2.

Note that the IKEv2 keystore is PKCS#11 based, so commands should be not be run with a keystore keyword other than pkcs11, which is the default keystore type.


Example 1 Generating a Certificate Signing Request (CSR)

The following command generates a CSR.

# ikev2cert gencsr keytype=rsa hash=sha256 keylen=4096 \
format=pem keystore=pkcs11 label='nfs server CSR' \
     subject='C=US, ST=MA, O=Oracle, OU=Solaris, CN=nfsserver' \
     altname='IP=' outcsr=/my/directory/ikev2host.csr
Example 2 Generating a ECSDA Certificate Signing Request

The following command generates a ECSDA certificate signing request.

# ikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \
     label='source code server' \
     subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
     altname='EMAIL=@eng.example.com' outcsr=/my/directory/tank.csr

The resulting PKCS#10 encoded CSRs generated in these first two examples should be submitted to a Certificate Authority (CA) for signing. This could be an internal or commercial CA.

Example 3 Importing a Signed certificate into the certificate store

The following command imports a signed certificate into the certificate store.

# ikev2cert import label='nfs server signed cert' \

This command can also be used to import the CA's public certificate.

Note that the PEM encoded certificate must not contain any text before the BEGIN line or after the END line. Some common utilities may add descriptions.

Example 4 Generating a Self-Signed Certificate

The following command generates a self-signed certificate.

# ikev2cert gencert keytype=rsa hash=sha256 keylen=4096 \
     label='backup server' keystore=pkcs11 serial=0xade6781b \
     subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \
Example 5 Deleting a Certificate Using Rights Profile

The following command deletes a certificate as a user who has been assigned the Network IPsec Management rights profile.

username$ pfexec /usr/sbin/ikev2cert delete label="backup server"
Enter PIN for Sun Software PKCS#11 softtoken:
1 private key(s) found, do you want to delete them (y/N) ? y
1 public key(s) found, do you want to delete them (y/N) ? y
1 certificate(s) found, do you want to delete them (y/N) ? y
Example 6 Listing Certificates Using Rights Profile

The following command lists certificates using a rights profile.

username$ pfexec ikev2cert list

Exit Status


Successful completion.


An error occurred. Writes an appropriate error message to standard error.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

pfexec(1), pktool(1), user_attr(5), attributes(7), pkcs11_softtoken(7), rbac(7), in.ikev2d(8)