On Mon, 22 Feb 2016, Nick Howitt wrote:
Don't you now need a different form of the certutil command for the nss
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
For libreswan-3.16 and above, yes.
Alex was running the old db format because his certutil command without
the sql: prefix worked fine.
Paul
Nick
On 2016-02-22 02:05, Paul Wouters wrote:
On Sun, 21 Feb 2016, Alex wrote:
> Can I just leave out the subnet declarations where they're not
> necessary?
Yes.
> Also, when I try to use my existing CA to create another cert for the
> new host, it's unable to find it:
>
> # certutil -L -d /etc/ipsec.d
>
> Certificate Nickname Trust
> Attributes
>
SSL,S/MIME,JAR/XPI
>
> cyclops u,u,u
> DGHQ Authority - MyCompany Inc ,,
> orion u,u,u
>
> # certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
> -s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
> ...
> certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
> SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
> in key database
> certutil: unable to create cert (The private key for this certificate
> cannot be found in key database)
>
> Did I somehow screw up the process of creating the CA in the first
> place?
possibly. The easist is to create a PKCS#12 file and run "ipsec import
file.p12"
Paul
> Thanks,
> Alex
>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
