ikev2cert(8) 맨 페이지 - 윈디하나의 솔라나라

분류: 서비스
설명: 맨 페이지 검색 (2016-02-22)
위치: 윈디하나의 솔라나라: ikev2cert(8) 맨 페이지 (처음 오신 분은 윈디하나의 솔라나라 이야기를 읽어주십시오)
윈디하나의 솔라나라 트위터 @solanara

개요

솔라나라에 설명된 어플리케이션에 대해 맨 페이지를 찾아 출력한다.
MAN 페이지에 대한 설명은 윈디하나의 솔라나라: MAN 페이지을 참고하자.
svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.

ikev2cert(8)

System Administration Commands                                    ikev2cert(8)



NAME
       ikev2cert - manipulate the Internet Key Exchange Version 2 (IKEv2) cer‐
       tificate database

SYNOPSIS
       ikev2cert [-f option_file] [-i] subcommand subcommand_options ...

DESCRIPTION
       The ikev2cert command is a simple wrapper around pktool(1).  It  allows
       users  to  manipulate the IKEv2 keystore for the user ikeuser, the user
       id that owns the PKCS#11 IKEv2 keystore  and  runs  the  IKEv2  daemon,
       in.ikev2d(8).  See  pkcs11_softtoken(7)  for  more  information  on the
       PKCS#11 keystore.


       Because ikev2cert manipulates sensitive keying information, you must be
       the  root  user  or have the Network IPsec Management rights profile to
       run this command, using pfexec(1). See the rbac(7) man page.

OPTIONS, SUBCOMMANDS, USAGE
       Please refer to pktool(1) for usage. ikev2cert simply  runs  pktool  as
       ikeuser, provided it has sufficient privilege.


       Because  pktool(1)  is a general purpose tool, and not specifically for
       use with in.ikev2d(8), it is possible to generate certificates that are
       not supported by in.ikev2d(8). The certificate type and parameters cho‐
       sen must be appropriate for the authentication  method  configured  for
       in.ikev2d. Refer to ikev2.config(5) for a list of available authentica‐
       tion methods.


       Elliptic  Curve  certificates  must  be  generated  using  one  of  the
       secp256r1, secp384r1, or secp521r1 curve parameters in order to be sup‐
       ported in IKEv2.


       Note that the IKEv2 keystore is PKCS#11 based, so  commands  should  be
       not  be  run  with  a  keystore keyword other than pkcs11, which is the
       default keystore type.

EXAMPLES
       Example 1 Generating a Certificate Signing Request (CSR)



       The following command generates a CSR.


         # ikev2cert gencsr keytype=rsa hash=sha256 keylen=4096 \
         format=pem keystore=pkcs11 label='nfs server CSR' \
              subject='C=US, ST=MA, O=Oracle, OU=Solaris, CN=nfsserver' \
              altname='IP=10.0.0.1' outcsr=/my/directory/ikev2host.csr


       Example 2 Generating a ECSDA Certificate Signing Request



       The following command generates a ECSDA certificate signing request.


         # ikev2cert gencsr keytype=ec curve=secp256r1 hash=sha256 \
              label='source code server' \
              subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=tank' \
              altname='EMAIL=@eng.example.com' outcsr=/my/directory/tank.csr




       The resulting PKCS#10 encoded CSRs generated in these first  two  exam‐
       ples  should  be submitted to a Certificate Authority (CA) for signing.
       This could be an internal or commercial CA.

       Example 3 Importing a Signed certificate into the certificate store



       The following command imports a signed certificate into the certificate
       store.



         # ikev2cert import label='nfs server signed cert' \
         infile=/my/directory/ikev2host.csr.signed




       This command can also be used to import the CA's public certificate.



       Note  that the PEM encoded certificate must not contain any text before
       the BEGIN line or after the END line. Some  common  utilities  may  add
       descriptions.

       Example 4 Generating a Self-Signed Certificate



       The following command generates a self-signed certificate.


         # ikev2cert gencert keytype=rsa hash=sha256 keylen=4096 \
              label='backup server' keystore=pkcs11 serial=0xade6781b \
              subject='C=US, ST=CA, O=Oracle, OU=Solaris, CN=backup-server' \
              altname='EMAIL=backup.selfsigned@example.com'


       Example 5 Deleting a Certificate Using Rights Profile



       The  following  command  deletes  a  certificate as a user who has been
       assigned the Network IPsec Management rights profile.


         username$ pfexec /usr/sbin/ikev2cert delete label="backup server"
         Enter PIN for Sun Software PKCS#11 softtoken:
         1 private key(s) found, do you want to delete them (y/N) ? y
         1 public key(s) found, do you want to delete them (y/N) ? y
         1 certificate(s) found, do you want to delete them (y/N) ? y


       Example 6 Listing Certificates Using Rights Profile



       The following command lists certificates using a rights profile.


         username$ pfexec ikev2cert list


EXIT STATUS
       0

           Successful completion.


       non-zero

           An error occurred. Writes an appropriate error message to  standard
           error.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab()  box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
       TRIBUTE VALUE _ Availabilitysystem/network/ike _  Interface  Stability‐
       Committed


SEE ALSO
       pfexec(1), pktool(1), user_attr(5), attributes(7), pkcs11_softtoken(7),
       rbac(7), in.ikev2d(8)



Oracle Solaris 11.4               21 Jun 2021                     ikev2cert(8)

RSS ATOM XHTML 5 CSS3

섹션
맨 페이지 이름
검색(S)