On Mon, 14 Sep 2015, Peter Bendel wrote:
Certificates have a validity and expire when the validity is expired.
Thus in a production IPsec implementation it is necessary to replace the
certificates close to the expiration date.
For production servers it is a problem if ipsec service needs to be restarted
to pick up new certificates from the
nss database.
In the following two topics it is mentioned that it is a current limitation
that to re-read the NSS SQlite db the
ipsec service needs to be restarted.
https://lists.libreswan.org/pipermail/swan/2014/000924.html
https://lists.libreswan.org/pipermail/swan/2014/000924.html
It was mentioned by Paul that Matt is working on a solution (Oct. 2014).
However I didn't find any mention in the changelog that this limitation is
already adressed.
This was addressed in 3.14 when we moved from the NSS db to the sql
format. You are able to import the certificate on a running system.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
