'\" te
.\" Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved
.TH ikev2cert 1M "19 Mar 2015" "SunOS 5.11" "System Administration Commands"
.SH NAME
ikev2cert \- manipulate the Internet Key Exchange Version 2 (IKEv2) certificate database
.SH SYNOPSIS
.LP
.nf
\fBikev2cert\fR [\fB-f\fR \fIoption_file\fR] [\fB-i\fR] \fIsubcommand\fR \fIsubcommand_options\fR ...
.fi

.SH DESCRIPTION
.sp
.LP
The \fBikev2cert\fR command is a simple wrapper around \fBpktool\fR(1). It allows users to manipulate the IKEv2 keystore for the user \fBikeuser\fR, the user id that owns the PKCS#11 IKEv2 keystore and runs the IKEv2 daemon, \fBin.ikev2d\fR(1M). See \fBpkcs11_softtoken\fR(5) for more information on the PKCS#11 keystore.
.sp
.LP
Because \fBikev2cert\fR manipulates sensitive keying information, you must be the root user or have the Network IPsec Management rights profile to run this command, using \fBpfexec\fR(1). See the \fBrbac\fR(5) man page.
.SH OPTIONS, SUBCOMMANDS, AND USAGE
.sp
.LP
Please refer to \fBpktool\fR(1) for usage. \fBikev2cert\fR simply runs \fBpktool\fR as \fBikeuser\fR, provided it has sufficient privilege.
.sp
.LP
Because \fBpktool\fR(1) is a general purpose tool, and not specifically for use with \fBin.ikev2d\fR(1M), it is possible to generate certificates that are not supported by \fBin.ikev2d\fR(1M). Refer to \fBikev2.config\fR(4).
.sp
.LP
Note that the IKEv2 keystore is PKCS#11 based, so commands should be not be run with a keystore keyword other than \fBpkcs11\fR, which is the default keystore type.
.SH EXAMPLES
.LP
\fBExample 1 \fRGenerating a Certificate Signing Request (CSR):
.sp
.LP
The following command generates a CSR:

.sp
.in +2
.nf
# \fBikev2cert gencsr keytype=rsa hash=sha1 keylen=2048 \e\fR
\fBformat=pem keystore=pkcs11 label='nfs server CSR' \
subject='C=US, ST=MA, O=Oracle, OU=Solaris, CN=nfsserver' \e
altname='IP=10.0.0.1' outcsr=/my/directory/ikev2host.csr\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRGenerating a ECSDA Certificate Signing Request:
.sp
.LP
The following command generates a ECSDA certificate signing request:

.sp
.in +2
.nf
# \fBikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \\fR
\fBlabel='source code server' \
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
altname='EMAIL=@eng.oracle.com' outcsr=/my/directory/tank.csr\fR
.fi
.in -2
.sp

.sp
.LP
The resulting  PKCS#10 encoded CSRs generated in these first two examples should be submitted to a Certificate Authority (CA) for signing. This could be an internal or commercial CA.

.LP
\fBExample 3 \fRImporting a Signed certificate into the certificate store:
.sp
.LP
The following command imports a signed certificate into the certificate store:

.sp
.in +2
.nf
# \fBikev2cert import label='nfs server signed cert' \\fR
\fBinfile=/my/directory/ikev2host.csr.signed\fR
.fi
.in -2
.sp

.sp
.LP
This command can also be used to import the CA's public certificate.

.sp
.LP
Note that the PEM encoded certificate must not contain any text before the BEGIN line or after the END line. Some common utilities may add descriptions.

.LP
\fBExample 4 \fRGenerating a Self-Signed Certificate:
.sp
.LP
The following command generates a self-signed certificate:

.sp
.in +2
.nf
# \fBikev2cert gencert keytype=rsa hash=sha1 keylen=2048 \e\fR
\fBlabel='backup server' keystore=pkcs11 serial=0xade6781b \e
subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \e
altname='EMAIL=backup.selfsigned@dev.null'\fR
.fi
.in -2
.sp

.LP
\fBExample 5 \fRDeleting a Certificate as a User who has Been Assigned the Network IPsec Management Rights Profile:
.sp
.LP
The following command deletes a certificate as a user who has been assigned the Network IPsec Management rights profile:

.sp
.in +2
.nf
username$ \fBpfexec /usr/sbin/ikev2cert delete label="backup server"\fR
Enter PIN for Sun Software PKCS#11 softtoken:
1 private key(s) found, do you want to delete them (y/N) ? \fBy\fR
1 public key(s) found, do you want to delete them (y/N) ? \fBy\fR
1 certificate(s) found, do you want to delete them (y/N) ? \fBy\fR
.fi
.in -2
.sp

.LP
\fBExample 6 \fRListing Certificates Using Rights Profile:
.sp
.LP
The following command lists certificates using a rights profile:

.sp
.in +2
.nf
username$ \fBpfexec ikev2cert list\fR
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.ne 2
.mk
.na
\fB\fB0\fR\fR
.ad
.sp .6
.RS 4n
Successful completion.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnon-zero\fR\fR
.ad
.sp .6
.RS 4n
An error occurred. Writes an appropriate error message to the standard error.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitynetwork/ike
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBpfexec\fR(1), \fBpktool\fR(1), \fBin.ikev2d\fR(1M), \fBuser_attr\fR(4), \fBattributes\fR(5), \fBpkcs11_softtoken\fR(5), \fBrbac\fR(5)