I was able to export both certificates and keys from NSS SQLite databases with commands such as:
pk12util -o test/client1.p12 -n "client1.example.com" -d sql:test openssl pkcs12 -in test/client1.p12 -cacerts -nokeys -out test/client1.ca.pem openssl pkcs12 -in test/client1.p12 -nocerts -nodes -out test/client1.key.pem openssl pkcs12 -in test/client1.p12 -clcerts -nokeys -out test/client1.cert.pem On Wed, Jan 23, 2019 at 6:03 AM Kostya Vasilyev <[email protected]> wrote: > > Hi, > > I'm trying to configure a LibreSwan server with a Mikrotik router client > (GRE tunnel). > > Got it working with PSK auth, would like to switch to RSA key based auth. > > Have seen the wiki's, still have some questions. > > LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't have > NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS format > encoding?) > > It does understand SSH format keys (and I can convert them to / from P12) and > of course I can use openssl to generate. > > I can think of these ways to set up my keys, but can't get any of them to > work: > > Option 1: > > Generate both (server and client) keys on server side with NSS and somehow > export them in SSH format, including 1) server's public key 2) client's > public key 3) client's private key > > From what I've seen on the Internet, NSS cannot (by design) export private > keys at all. Maybe this is wrong and there is a way? > > And if I could do this, how would I convert from RFC 3110 in NSS to openssl > format for Mikrotik? > > Option 2: > > Generate both (server and client) keys separately with openssl and somehow > import them into NSS on the server, including 1) server's public key 2) > server's private key 3) client's public key. > > But as far as I can tell, NSS cannot import keys, only certificates (I mean > pk12util -i ...) so that seems like a dead end too unless I'm missing > something. > > Option 3: > > Generate keys with openssl and somehow make LibreSwan use them directly from > files, not from NSS. > > Is this possible? I understand from LibreSwan docs that NSS is the main > method of configuring keys - but is it perhaps also possible to use SSH > format key files (or SSH format key strings in settings)? > > Variation on 3: > > Directly specify keys in LibreSwan config (as strings) but I'd to convert my > openssl keys (both public and private for the server, public for the client) > into RFC 3110 format, and can't find a way to do this. > > I assume there is a solution to this, it has to be a frequent case where "the > other side" is not also LibreSwan, but just can't find the right docs it > seems. > > Help please? > > -- > Kostya Vasilyev > [email protected] > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
