Sorry, forgot to reply to all.
Don't you now need a different form of the certutil command for the nss
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
Nick
On 2016-02-22 02:05, Paul Wouters wrote:
On Sun, 21 Feb 2016, Alex wrote:
Can I just leave out the subnet declarations where they're not
necessary?
Yes.
Also, when I try to use my existing CA to create another cert for the
new host, it's unable to find it:
# certutil -L -d /etc/ipsec.d
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
cyclops u,u,u
DGHQ Authority - MyCompany Inc ,,
orion u,u,u
# certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
-s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
...
certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
in key database
certutil: unable to create cert (The private key for this certificate
cannot be found in key database)
Did I somehow screw up the process of creating the CA in the first
place?
possibly. The easist is to create a PKCS#12 file and run "ipsec import
file.p12"
Paul
Thanks,
Alex
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
