So Bob told me:
- Don't use merge to update the database. Just call certutil (-x ?). Anything that openes the db in readwrite will cause the update (you need to run it twice due to the merge of different locations/db) This assumes we keep our nss db in /etc/ipsec.d, which I think is where we should leave the new db - All db's opened are within the same trust domain, so a helper opening another db does not actually contain any CAs to that db. So we don't gain anything by using a separate db in /var/lib/ipsec. - Use the pkix interface instead of the generic one for certificate validation, and you can give it the CA to use and other CAs won't get picked up. - no easy way to store crl/ocsp "separately" so for now I think we should just stick to being okay to lose it over restarts. We _could_ think of loading /etc/ipsec.d/crls/* into the "cached db" overlay to keep that functionality (I think it is common to use a file and scp, not a URI, for smaller deployments) Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
