Certificate bundles are used to store a group of related certificate information. A certificate bundle contains zero or more certificates and zero or more certificate revocation lists (CRLs). When an IKEv2 negotiation uses a digital signature authentication method, this certificate information can be exchanged using a certificate bundle. When information is exchanged using a certificate bundle, a URL that identifies the certificate bundle and a hash of the data in the certificate bundle is sent to the remote security endpoint. The remote security endpoint then retrieves the certificate bundle from an HTTP server, and uses the bundle when it validates the digital signature.
Although consolidating this information in one place has advantages, consolidation might cause the remote security endpoint to retrieve unneeded information. Often the remote security endpoint already has knowledge of most of the certificates in the trust chain and is capable of retrieving CRL information using another method. In such cases, it might be more efficient to use individual certificates, rather than a certificate bundle.
You can use the certbundle command to create one or more files, each of which contains one certificate bundle. A certificate bundle options file is required as input to the certbundle command. The certificate bundle options file identifies how many certificate bundles are created, as well as the contents of each certificate bundle.