3.4.3 Initialization

Each host configured to use CGA authentication MUST generate an Rivest-Shamir-Adleman (RSA)  public/private key pair (see [RFC8017] and 3 and [RFC3972] section 3). The host MUST then generate a X.509 self-signed certificate that uses this key pair and is compatible with IKE (see [RFC2409] section 5.1).

The CGA itself MUST be created as described in [RFC3972] section 4. This IP address is used to send and receive the IKE packets described in section 3.4.5.