Skip to main content

14.8.11 Enabling/Disabling a Registered X.509 Public Key Certificate


14.8.11 Enabling/Disabling a Registered X.509 Public Key Certificate
To use a user's X.509 public key certificate that has been registered, execute the setvbootconfig command from the XSCF shell to enable the public key certificate. Execute the setvbootconfig command with a user account that has the platadm or pparadm privilege.
In the following example, a disabled public key certificate is enabled.
XSCF> setvbootconfig -p ppar_id -i index -c enable
For ppar_id, specify the destination physical partition. For index, specify the index number of the user's certificate to be enabled.

You can use a list of user's certificates to check index numbers and whether a public key certificate is enabled/disabled. To display a list of user's certificates, execute the showvbootcerts command with the -a option specified.
XSCF> showvbootcerts -p ppar_id -a
In the following example, an enabled public key certificate is disabled.
XSCF> setvbootconfig -p ppar_id -i index -c disable
For ppar_id, specify the destination physical partition. For index, specify the index number of the user's certificate to be disabled.
Note - You can also use XSCF Web to enable/disable an X.509 public key certificate.
Note - You can enable/disable an X.509 public key certificate while the physical partition is powered off or Oracle Solaris on the logical domain is running. If the physical partition or logical domain is in the startup or stop procedure, an error occurs. Perform the operation again after the startup or stop is completed.
Note - A system default certificate is a public key certificate the XSCF has by default. System default certificates cannot be enabled/disabled.
Operation Procedure
  1. Log in to the XSCF.
    For details, see "2.2  Logging In to the XSCF Shell."
  1. Execute the showvbootcerts command to check the index number of the user's certificate to be used and whether the certificate is enabled.
    If the registered public key certificate is already enabled, the subsequent steps are not required.
  1. In the following example, all the X.509 public key certificates registered in PPAR-ID 2 are displayed.
XSCF> showvbootcerts -p 2 -a
--------------------------------------------------------------------------------

PPAR-ID 2 System Index : 1 name : SYSTEM_CERT_1 [Enable(Unchangeable)]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    0d:fb:b1:5a:2d:2a:e5:81:80:86:eb:34:5e:a4:7e:ed
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 2 Managed PKI Individual Subscriber CA, CN=Object Signing CA
  Subject: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 2 name : CUSTOM_CERT_2 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:aa:70
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 5 name : CUSTOM_CERT_5 [Disable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:bb:71
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------

  1. Execute the setvbootconfig command to enable the public key certificate.
    In the following example, the X.509 public key certificate registered as index number 5 in PPAR-ID 2 is enabled. "y (yes)" is the response to the confirmation message.
XSCF> setvbootconfig -p 2 -i 5 -c enable
Index 5, CUSTOM_CERT_5 on PPAR-ID 2 will be enabled,
Continue?[y|n]: y
  1. Execute the showvbootcerts command to confirm that the public key certificate was enabled.
    In the following example, the X.509 public key certificate registered as index number 5 in PPAR-ID 2 is confirmed as enabled.
XSCF> showvbootcerts -p 2 -a
--------------------------------------------------------------------------------

PPAR-ID 2 System Index : 1 name : SYSTEM_CERT_1 [Enable(Unchangeable)]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    0d:fb:b1:5a:2d:2a:e5:81:80:86:eb:34:5e:a4:7e:ed
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 2 Managed PKI Individual Subscriber CA, CN=Object Signing CA
  Subject: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 2 name : CUSTOM_CERT_2 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:aa:70
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 5 name : CUSTOM_CERT_5 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:bb:71
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------
  1. Execute the exit command to log out from the XSCF shell.
    If you do not have any further work with the XSCF shell, log out from the XSCF. To proceed to configuring another setting, go to the relevant step.