Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Alternative for ikecert

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Alternative for ikecert
# 1  
Old 07-19-2010
Alternative for ikecert
Hi Folks...

Is there an alternative for ikecert(SunOS) - man info - "manipulates the machine's on-filesystem public-key certificate databases" in linux?

Can we use pkcs7, pkcs8 or something like that?...
I also came across ssh-keygen and ssh-keygen2...

My best guess is to use ssh-certtool in linux.

Really appreciate any help.
Thanks a lot for your time.

regards,
Ahamed.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Looking for an alternative to Tcl

I've created quite a collection of tcl scripts which have buttons, radio buttons, check boxes, text fields, etc. These tcl scripts in turn call and execute several hundred sh, csh, bash, perl scripts and pass in the args based on the gui selections on the same and other redhat machines. We're... (4 Replies)
Discussion started by: scottwevans
4 Replies

2. Solaris

vi alternative

Is there any other editor, installed by 'default' in Sparc Solaris10, besides vi? I'd like to avoid installing anything new. If not, how to make vi more user-friendly? thanks. (8 Replies)
Discussion started by: orange47
8 Replies

3. Shell Programming and Scripting

Alternative for wc -l

Hi techies .. This is my first posting hr .. Am facing a serious performance problem in counting the number of lines in the file. The input files i get will be in some 10 to 15 Gb of size or even sometimes more ..and I will load it to db I have used wc -l to confirm whether the loader... (14 Replies)
Discussion started by: rajesh_2383
14 Replies

4. HP-UX

alternative for egrep -o on HP-UX

Hello to all board members!! I have a problem on a HP-UX system. I should write a script. Therefore I need to search after IP addresses in the output of a command. On Debian this works: ifconfig | egrep -o "{1,3}\.{1,3}\.{1,3}\.{1,3}" The script where i need this is not ifconfig, but... (2 Replies)
Discussion started by: vostro
2 Replies

5. IP Networking

Alternative to Port 25

We're in the process of testing a mail server that we hope will replace our current one that's being hosted by our ISP. We learned a few things along the way and would like to avoid them if possible. The biggest hurdle is getting around port 25 (SMTP). Our work force is approx 75% consultants who... (1 Reply)
Discussion started by: sdotsen
1 Replies

6. Shell Programming and Scripting

du alternative in perl

I have a perl script that just does a `du -sk -x` and formats it to look groovy ( the argument can be a directory but usually is like /usr/local/* ) #!/usr/bin/perl use strict; use warnings; my $sizes = `du -x -sk @ARGV | sort -n`; my $total = 0; print "MegaBytes Name\n"; for(split... (1 Reply)
Discussion started by: insania
1 Replies

7. Shell Programming and Scripting

help with while loop or any other alternative?

i=1 while do mm=02 dd=03 yy=2008 echo "$mm$dd$yy" i=$(( i+1)) echo "$i" done whenever i execute the script above i will get the error below: syntax error at line 30: `i=$' unexpected (3 Replies)
Discussion started by: filthymonk
3 Replies

8. Shell Programming and Scripting

getopts alternative?

I have to implement switches (options) like this in my script. ./myscript -help ./myscript -dir /home/krish -all ./myscript -all getopts allows switches to have one character (like a, b, etc.). How can I customize it for handling the above situation? Or, is there any alternative to... (3 Replies)
Discussion started by: krishmaths
3 Replies
Login or Register to Ask a Question

LEARN ABOUT PLAN9

ikecert

ikecert(1M)						  System Administration Commands					       ikecert(1M)

NAME

       ikecert - manipulates the machine's on-filesystem public-key certificate databases

SYNOPSIS

       ikecert certlocal [-a | -e | -h | -k | -l | -r]	[-T PKCS#11 token identifier] [option_specific_arguments...]

       ikecert certdb [-a | -e | -h | -l | -r]	[-T PKCS#11 token identifier] [option_specific_arguments...]

       ikecert certrldb [-a | -e | -h | -l | -r]  [option_specific_arguments...]

       ikecert tokens

DESCRIPTION

       The ikecert command manipulates the machine's on-filesystem public-key certificate databases. See FILES.

       ikecert has three subcommands, one for each of the three major repositories, plus one for listing available hardware tokens:

	 o  certlocal deals with the private-key repository,

	 o  certdb deals with the public-key repository, and

	 o  certrldb deals with the certificate revocation list (CRL) repository.

	 o  tokens shows the available PKCS#11 tokens for a given PKCS#11 library.

       The only supported PKCS#11 library and hardware is the Sun Cryptographic Accelerator 4000.

OPTIONS

       Except for tokens, each subcommand requires one option, possibly followed by one or more option-specific arguments.

       The tokens subcommand lists all available tokens in the PKCS#11 library specified in /etc/inet/ike/config.

       The following options are supported:

       -a

	   certlocal	   When  specified with the certlocal subcommand, this option installs (adds) a private key into the Internet Key Exchange
			   (IKE) local ID database. The key data is read from standard input, and is in either Solaris-only format or  unencrypted
			   PKCS#8  DER	format.  Key  format  is automatically detected. PKCS#8 key files in PEM format and files in password pro-
			   tected, encrypted format are not recognized, but can be converted appropriately using tools available in OpenSSL.

			   This option cannot be used with PKCS#11 hardware objects.

	   certdb	   When specified with the certdb subcommand, this option reads a certificate from standard input and adds it to  the  IKE
			   certificate	database. The certificate must be a X.509 certificate in PEM Base64 or ASN.1 BER encoding. The certificate
			   adopts the name of its identity.

			   This option can import a certificate into a PKCS#11 hardware key store one of two ways: Either a  matching  public  key
			   object and an existing private key object were created using the certlocal -kc option, or if a PKCS#11 token is explic-
			   itly specified using the -T option.

	   certrldb	   When specified with the certrldb subcommand, this option installs (adds) a CRL into the IKE	database.  The	CRL  reads
			   from standard input.

       -e slot

	   certlocal	   When  specified  with  the certlocal subcommand, this option extracts a private key from the IKE local ID database. The
			   key data are written to standard output. The slot specifies which  private  key  to	extract.  Private  keys  are  only
			   extracted in binary/ber format.

			   Use this option with extreme caution. See SECURITY CONSIDERATIONS.

			   This option will not work with PKCS#11 hardware objects.

       -e [-f output-format] certspec

	   certdb	   When  specified  with the certdb subcommand, this option extracts a certificate from the IKE certificate database which
			   matches the certspec and writes it to standard output. The output-format option specifies the  encoding  format.  Valid
			   options are PEM and BER. This extracts the first matching identity. The default output format is PEM.

	   certrldb	   When specified with the certrldb subcommand, this option extracts a CRL from the IKE database. The key data are written
			   to standard output. The certspec specifies which CRL that is extracted. The first one that matches in the  database	is
			   extracted. See PARAMETERS for details on certspec patterns.

       -kc -m keysize -t keytype -D dname -A altname[ ... ]
       [-T PKCS#11 token identifier]

	   certlocal	   When  specified with the certlocal subcommand, this option generates a IKE public/private key pair and adds it into the
			   local ID database. It also generates a certificate request and sends that to standard output. For details on the  above
			   options  see  PARAMETERS  for  details on the dname argument and see ALTERNATIVE NAMES for details on the altname argu-
			   ment(s) to this command.

			   If -T is specified, the hardware token will generate the pair of keys.

       -ks -m keysize -t keytype -D dname -A altname[ ... ]
       [-f output-format] [-T PKCS#11 token identifier]

	   certlocal	   When specified with the certlocal subcommand, generates a public/private key pair and adds it into the local  ID  data-
			   base.  This	option also generates a self-signed certificate and installs it into the certificate database. See PARAME-
			   TERS for details on the dname and  altname arguments to this command.

			   If -T is specified, the hardware token will generate the pair of keys, and the self-signed  certificate  will  also	be
			   stored in the hardware.

       -l [-v] [slot]

	   certlocal	   When  specified  with  the certlocal subcommand, this option lists private keys in the local ID database. The -v option
			   switches output to a verbose mode where the entire certificate is printed.

			   Use the -v option with extreme caution. See SECURITY CONSIDERATIONS. The -v option will not work with PKCS#11  hardware
			   objects.

       -l [-v] [certspec]

	   certdb	   When  specified with the certdb subcommand, this option lists certificates in the IKE certificate database matching the
			   certspec, if any pattern is given. The list displays the identity string of the certificates, as well as,  the  private
			   key if in the key database. The -v switches the output to a verbose mode where the entire certificate is printed.

			   If the matching ceritifcate is on a hardware token, the token ID is also listed.

	   certrldb	   When specified with the certrldb subcommand, this option lists the CRLs in the IKE database along with any certificates
			   that reside in the database and match the Issuer Name. certspec can be used to specify to list a specific CRL.  The	-v
			   option  switches  the  output  to  a  verbose  mode where the entire certificate is printed. See PARAMETERS for details
			   oncertspec patterns.

       -r slot

	   certlocal	   When specified with the certlocal subcommand, deletes the local ID in the specified slot. If there is  a  corresponding
			   public key, it is not be deleted.

			   If this is invoked on a PKCS#11 hardware object, it will also delete the PKCS#11 public key and private key objects. If
			   the public key object was already deleted by certdb -r, that is not a problem.

       -r certspec

	   certdb	   Removes certificates from the IKE certificate database. Certificates matching the  specified  certificate  pattern  are
			   deleted.  Any  private keys in the certlocal database corresponding to these certificates are not deleted. This removes
			   the first matching identity.

			   If this is invoked on a PKCS#11 hardware object, it will also delete the certificate and the PKCS#11 public key object.
			   If the public key object was already deleted by certlocal -r, that is not a problem.

	   certrldb	   When specified with the certrldb subcommand, this option deletes the CRL with the given certspec.

PARAMETERS

       The following parameters are supported:

       certspec        Specifies  the  pattern matching of certificate specifications. Valid certspecs are the Subject Name, Issuer Name, and Sub-
		       ject Alternative Names.

		       These can be specified as certificates that match the given certspec values and that do not match other certspec values. To
		       signify a certspec value that is not supposed to be present in a certificate, place an ! in front of the tag.

		       Valid certspecs are:

		       <Subject Names>
		       SUBJECT=<Subject Names>
		       ISSUER=<Issuer Names>
		       SLOT=<Slot Number in the certificate database>

		       Example:"ISSUER=C=US, O=SUN" IP=1.2.3.4 !DNS=example.com
		       Example:"C=US,	O=CALIFORNIA" IP=5.4.2.1 DNS=example.com

		       Valid arguments to the alternative names are as follows:

		       IP=<IPv4 address>
		       DNS=<Domain Name Server address>
		       EMAIL=<email (RFC 822) address>
		       URI=<Uniform Resource Indicator value>
		       DN=<LDAP Directory Name value>
		       RID=<Registered Identifier value>

		       Valid Slot numbers can be specified without the keyword tag. Alternative name can also be issued with keyword tags.

       -A	       Subject	Alternative  Names  the  certificate.  The argument that follows the -A option should be in the form of tag=value.
		       Valid tags are IP, DNS, EMAIL, URI, DN, and RID (See example below).

       -D	       X.509 distinguished name for the certificate subject. It typically has the form of: C=country, O=organization, OU=organiza-
		       tional unit, CN=common name.  Valid tags are: C, O, OU, and CN.

       -f	       Encoding output format. pem for PEM Base64 or ber for ASN.1 BER. If -f is not specified, pem is assumed.

       -m	       Key size. It can be 512, 1024, 2048, 3072, or 4096.

		       Note -  Some  hardware does not support all key sizes. For example, the Sun Cryptographic Accelerator 4000's keystore (when
			       using the -T option, below), supports only up to 2048-bit keys for RSA and 1024-bit keys for DSA.

       -t	       Key type. It can be rsa-sha1, rsa-md5, or dsa-sha1.

       -T	       PKCS#11 token identifier for hardware key storage. This specifies a hardware device instance in conformance to the  PKCS#11
		       standard. A PKCS#11 library must be specified in /etc/inet/ike/config. (See ike.config(4).)

		       A  token  identifier  is a 32-character space-filled string. If the token given is less than 32 characters long, it will be
		       automatically padded with spaces.

		       If there is more than one PKCS#11 library on a system, keep  in	mind  that  only  one  can  be	specified  at  a  time	in
		       /etc/inet/ike/config.  There  can  be  multiple	tokens	(each  with  individual  key storage) for a single PKCS#11 library
		       instance.

SECURITY CONSIDERATIONS

       This command can save private keys of a public-private key pair into a file. Any exposure of a private key may lead to  compromise  if  the
       key is somehow obtained by an adversary.

       The  PKCS#11  hardware  object functionality can address some of the shortcomings of on-disk private keys. Because IKE is a system service,
       user intervention at boot is not desireable. The token's PIN, however, is still needed. The PINfor the PKCS#11 token, therefore, is  stored
       where  normally	the on-disk cryptographic keys would reside. This design decision is deemed acceptable because, with a hardware key store,
       possession of the key is still unavailable, only use of the key is an issue if the host is compromised. Beyond the  PIN,  the  security	of
       ikecert then reduces to the security of the PKCS#11 implementation. The PKCS#11 implementation should be scrutinized also.

       Refer  to  the afterword by Matt Blaze in Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and Source Code in C for additional
       information.

EXAMPLES

       Example 1: Generating a Self-Signed Certificate

       The following is an example of a self-signed certificate:

       example# ikecert certlocal -ks -m 512 -t rsa-md5 -D "C=US, O=SUN" -A
       IP=1.2.3.4
       Generating, please wait...
       Certificate generated.
       Certificate added to database.
       -----BEGIN X509 CERTIFICATE-----
       MIIBRDCB76ADAgECAgEBMA0GCSqGSIb3DQEBBAUAMBsxCzAJBgNVBAYTAlVTMQww
       CgYDVQQKEwNTVU4wHhcNMDEwMzE0MDEzMDM1WhcNMDUwMzE0MDEzMDM1WjAbMQsw
       CQYDVQQGEwJVUzEMMAoGA1UEChMDU1VOMFowDQYJKoZIhvcNAQEBBQADSQAwRgJB
       APDhqpKgjgRoRUr6twTMTtSuNsReEnFoReVer!ztpXpQK6ybYlRH18JIqU/uCV/r
       26R/cVXTy5qc5NbMwA40KzcCASOjIDAeMAsGA1UdDwQEAwIFoDAPBgNVHREECDAG
       hwQBAgMEMA0GCSqGSIb3DQEBBAUAA0EApTRD23KzN95GMvPD71hwwClukslKLVg8
       f1xm9ZsHLPJLRxHFwsqqjAad4j4wwwriiUmGAHLTGB0lJMl8xsgxag==
       -----END X509 CERTIFICATE-----

       Example 2: Generating a CA Request

       Generating a CA request appears the same as the self-signed certificate. The only differences between the two is the option -c  instead	of
       -s, and the certificate data is a CA request.

       example# ikecert certlocal -kc -m 512 -t rsa-md5 
	  -D "C=US, O=SUN" -A IP=1.2.3.4

       Example 3: A CA Request Using a Hardware Key Store

       The following example illustrates the specification of a token using the -T option.

       example# # ikecert certlocal -kc -m 1024 -t rsa-md5 -T vca0-keystore 
	 -D "C=US, O=SUN" -A IP=1.2.3.4

EXIT STATUS

       The following exit values are returned:

       0	       Successful completion.

       non-zero        An error occurred. Writes an appropriate error message to standard error.

FILES

       /etc/inet/secret/ike.privatekeys/*

	   Private keys. A private key must have a matching public-key certificate with the same filename in /etc/inet/ike/publickeys/.

       /etc/inet/ike/publickeys/*

	   Public-key certificates. The names are only important with regard to matching private key names.

       /etc/inet/ike/crls/*

	   Public key certificate revocation lists.

       /etc/inet/ike/config

	   Consulted for the pathname of a PKCS#11 library.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       in.iked(1M), ike.config(4), attributes(5)

       Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Second Edition. John Wiley & Sons. New York, NY. 1996.

       RSA Labs, PKCS#11 v2.11: Cryptographic Token Interface Standards, November 2001.

SunOS 5.10							    2 Nov 2004							       ikecert(1M)