On Sun, 21 Feb 2016, Alex wrote:
Can I just leave out the subnet declarations where they're not
necessary?
Yes.
Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:
# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cyclops u,u,u
DGHQ Authority - MyCompany Inc ,,
orion u,u,u
# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)
Did I somehow screw up the process of creating the CA in the first place?
possibly. The easist is to create a PKCS#12 file and run "ipsec import file.p12"
Paul
Thanks,
Alex
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan