On Wed, 25 May 2016, Andrew Cagney wrote:
I suspect the correct way is to create the certificate at the same
time as the key-pair (like certutil -S).
I was hoping to avoid that, but if that's what is needed we could do
that.
Yes. It would be nice if we could still give it an identifier and log
that into NSS for the key, similar to the "friendly_name" of
certificates. But I do not know if nss supports that.
Looks like it. For instance, if I remove east's certificate vis:
certutil -D -n east -d ...
I can still list "east"s key-pair vis:
certutil -K -n east ...
Oh yeah. I just tested it too and that works. So that's a good sign!
If we can set those to something specified, that would be great. Like
FQDN per default?
The --hostname option to rsasigkey? Currently that is used for little
more than to print the domain name in a comment. It could be used as
a nickname though.
I think --nickname would be better option -- nss calls them nicknames
-- perhaps default to hostname).
works for me.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
