Skip to main content

14.8.3 X.509 Public Key Certificates for Verified Boot

14.8.3 X.509 Public Key Certificates for Verified Boot
Table 14-17 shows the two types of X.509 public key certificates used for verified boot.
Table 14-17  X.509 Public Key Certificates Used for Verified Boot
Certificate Type Description
System default certificate
(System default)
System default certificate that the XSCF has
The XSCF has the same certificate as the public key certificate (/etc/certs/* or /etc/certs/elfsign/*) contained in Oracle Solaris. The XSCF has 1 or 2 system default certificates. Users cannot manipulate the certificates.
User's certificate Certificate registered by a user
A certificate issued by a third party is registered as a user's certificate with XSCF.
Up to 5 user's certificates can be registered with the XSCF for each physical partition. When enabled, a registered certificate can be used for boot verification.
User's certificates are subject to save/restore on the system. However, saved certificates cannot be restored in other SPARC M12/M10.
Boot verification is performed by using the system default certificate(s) and enabled user's certificates.