How to Configure IKE With Public Keys Signed by a Certificate Authority
Become superuser on the system console.
Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.
Use the ikecert certlocal -kc command to add a trusted root certificate to the ike.privatekeys database.
For example,
# ikecert certlocal -kc -m 1024 -t rsa-md5 \ -D "C=US, O=ExampleCompany\, Inc., OU=US-Example, CN=Example" \ -A "DN=C=US, O=ExampleCompany\, Inc., OU=US-Example" Generating, please wait... Certificate request generated. -----BEGIN CERTIFICATE REQUEST----- MIIByjCCATMCAQAwUzELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEV4YW1wbGVDb21w ... lcM+tw0ThRrfuJX9t/Qa1R/KxRlMA3zckO80mO9X -----END CERTIFICATE REQUEST-----
Submit the request to the outside Certificate Authority or PKI.
The vendor issues you two certificates and a CRL that you enter into the respective databases.
Your publickeys certificate - This certificate is based on the request you submitted to the vendor. The certificate uniquely identifies you.
A Certificate Authority - This is the vendor's signature. The CA verifies that your publickeys certificate is legitimate.
A Certificate Revocation List - This is the latest list of certificates that the vendor has revoked.
Enter the three certificates as the argument to ikecert commands.
Become superuser on the system console.
Type the ikecert certdb -a command and type <Return>.
# ikecert certdb -a <Return>
Paste your certificate that you received from the vendor and type <Return>.
-----BEGIN X509 CERTIFICATE----- ... -----END X509 CERTIFICATE-----<Return>
End the entry by typing <Control-D>.
<Control-D>
Type the ikecert certdb -a command and type <Return>.
# ikecert certdb -a <Return>
Paste the vendor's CA and type <Return>, then <Control-D> to end the entry.
-----BEGIN X509 CERTIFICATE----- ... -----END X509 CERTIFICATE-----<Return> <Control-D>
Type the ikecert certrldb -a command and type <Return>.
# ikecert certrldb -a <Return>
Paste the vendor's CRL and type <Return>, then <Control-D> to end the entry.
Edit the /etc/inet/ike/config file to recognize the vendor.
Use the name that the vendor tells you to use. For example,
# Trusted root cert # This certificate is from Example PKI # This is the X.509 distinguished name for the CA that it issues. cert_root "C=US, O=ExamplePKI\, Inc., OU=PKI-Example, CN=Example PKI" ## Parameters that may also show up in rules. p1_xform { auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg 3des } p2_pfs 2 { label "UN-Example to US-Example - Example PKI" local_id_type dn local_id "C=US, O=ExampleCompany, OU=UN-Example, CN=Example" remote_id_type dn remote_id "C=US, O=ExampleCompany, OU=US-Example, CN=Example" local_addr 192.168.10.242 remote_addr 192.168.11.241 p1_xform { auth_method rsa_encrypt oakley_group 2 auth_alg md5 encr_alg des } }
The communicating system does the same operations as you have done.
Following the example, the "C=US, O=ExampleCompany, OU=US-Example, CN=Example" system runs the ikecert commands as above. Its ike.config file uses its local information for local parameters, and your system's information for the remote parameters.
For example,
# Trusted root cert # This certificate is from Example PKI cert_root "C=US, O=ExamplePKI\, Inc., OU=PKI-Example, CN=Example PKI" ## Parameters that may also show up in rules. p1_xform { auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg 3des } p2_pfs 2 { label "US-Example to UN-Example - Example PKI" local_id_type dn local_id "C=US, O=ExampleCompany, OU=US-Example, CN=Example" remote_id_type dn remote_id "C=US, O=ExampleCompany, OU=UN-Example, CN=Example" local_addr 192.168.11.241 remote_addr 192.168.10.242 p1_xform { auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg des } }
When the /etc/hosts file and /etc/inet/ipsecinit.conf file have been modified to include the protected interfaces and the machines are rebooted, the IKE daemon authenticates itself with the public keys and the CA.
Note - The RSA encryption authentication method hides identities in IKE from eavesdroppers, so IKE does not retrieve the peer's certificate. As a result, the method requires that the IKE peers know each other's public keys. Therefore, when you use auth_method rsa_encrypt in the ike.config file, you must add the peer's certificate to the public-keys database.