Were you exporting keys that are part of some certificates? Yes this is possible (and importing too).
But in this case here I'm dealing with "standalone" keys - not keys which are part of certificates - and this does not seem possible. I can't use certificate auth because of some issues on Mikrotik side (it seems to want "something" in subjectAltName but I can't figure out what... a Mikrotik forum post is pending moderation). Any idea on the other options - such as generating keys with openssl and either importing into NSS as keys, or making LibreSwan use openssl key files, or converting openssl to DNS format and making LibreSwan use those as strings? -- Kostya Vasilyev [email protected] On Wed, Jan 23, 2019, at 5:15 PM, Derek Cameron wrote: > I was able to export both certificates and keys from NSS SQLite > databases with commands such as: > > pk12util -o test/client1.p12 -n "client1.example.com" -d sql:test > > openssl pkcs12 -in test/client1.p12 -cacerts -nokeys -out test/client1.ca.pem > > openssl pkcs12 -in test/client1.p12 -nocerts -nodes -out test/client1.key.pem > > openssl pkcs12 -in test/client1.p12 -clcerts -nokeys -out > test/client1.cert.pem > > On Wed, Jan 23, 2019 at 6:03 AM Kostya Vasilyev <[email protected]> wrote: > > > > Hi, > > > > I'm trying to configure a LibreSwan server with a Mikrotik router client > > (GRE tunnel). > > > > Got it working with PSK auth, would like to switch to RSA key based auth. > > > > Have seen the wiki's, still have some questions. > > > > LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't > > have NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS > > format encoding?) > > > > It does understand SSH format keys (and I can convert them to / from P12) > > and of course I can use openssl to generate. > > > > I can think of these ways to set up my keys, but can't get any of them to > > work: > > > > Option 1: > > > > Generate both (server and client) keys on server side with NSS and somehow > > export them in SSH format, including 1) server's public key 2) client's > > public key 3) client's private key > > > > From what I've seen on the Internet, NSS cannot (by design) export private > > keys at all. Maybe this is wrong and there is a way? > > > > And if I could do this, how would I convert from RFC 3110 in NSS to openssl > > format for Mikrotik? > > > > Option 2: > > > > Generate both (server and client) keys separately with openssl and somehow > > import them into NSS on the server, including 1) server's public key 2) > > server's private key 3) client's public key. > > > > But as far as I can tell, NSS cannot import keys, only certificates (I mean > > pk12util -i ...) so that seems like a dead end too unless I'm missing > > something. > > > > Option 3: > > > > Generate keys with openssl and somehow make LibreSwan use them directly > > from files, not from NSS. > > > > Is this possible? I understand from LibreSwan docs that NSS is the main > > method of configuring keys - but is it perhaps also possible to use SSH > > format key files (or SSH format key strings in settings)? > > > > Variation on 3: > > > > Directly specify keys in LibreSwan config (as strings) but I'd to convert > > my openssl keys (both public and private for the server, public for the > > client) into RFC 3110 format, and can't find a way to do this. > > > > I assume there is a solution to this, it has to be a frequent case where > > "the other side" is not also LibreSwan, but just can't find the right docs > > it seems. > > > > Help please? > > > > -- > > Kostya Vasilyev > > [email protected] > > _______________________________________________ > > Swan mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
