On Tue, 23 Oct 2018, Cesare Leonardi wrote:
I'm new to libreswan and while reading documentation and doing some tests, I
observed that ipsec command permit to initialize an NSS database, to create a
key, to show stored keys but, surprisingly, not to delete keys. Then I
searched how to do it but was not so simple and I discovered that certutil
learned only recently (version 3.39) to delete keys:
https://bugzilla.mozilla.org/show_bug.cgi?id=291383
I guess this is the reason why also libreswan lacked this functionality until
now, so I'm writing here in case you didn't know about this new certutil
feature.
It would be good if one day we can use something like:
ipsec delhostkey --ckaid CKAID
Without having to search for the equivalent:
certutil -F -k CKAID -d /var/lib/ipsec/nss/
I agree this functionality should be added. Since it is a simple
translation between "ipsec" commands and "certutil" commands, the
best place would be to add this directly into the ipsec command
without creating a helper command (like we do for showhostkey).
It should only need a small patch to programs/ipsec/ipsec.in
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
