On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
ipsec-tools has a utility called plainrsa-gen which can generate RFC 3110 format keys.Output looks like this (this is a 512 bit key for brevity): # : PUB 0sAQPBu6FSgczYJ5jjqE4rQj1m2PIC2oiHL4h6VhicQRP3xQ== : RSA { # RSA 256 bits # pubkey=0sAQPBu6FSgczYJ5jjqE4rQj1m2PIC2oiHL4h6VhicQRP3xQ== Modulus: 0xc1bba15281ccd82798e3a84e2b423d66d8f202da88872f887a56189c4113f7c5 PublicExponent: 0x03 PrivateExponent: 0x8127c0e1abdde56fbb4270341cd6d398bd0376dfa632f2f89b0118b27d89edeb Prime1: 0xe1006e0fedd5b3ceeb23d3af2552cd5d Prime2: 0xdc6c627b21650f44a6b09fe15f724589 Exponent1: 0x9600495ff3e3cd349cc28d1f6e373393 Exponent2: 0x92f2ec5216435f8319cb1540ea4c2e5b Coefficient: 0xcbfd904423e9e83f8363823d512e9b87 }
These are no longer needed for libreswan, but if having this format is useful to use, you can run: ipsec newhostkey --output /etc/ipsec.secrets and you will see the private key in NSS and the public key in /etc/ipsec.secrets.
On my Fedora home system, it can also import from openssl private / public format key files (not on Debian where I have LibreSwan but that doesn't matter I can do the conversion on Fedora). And unless this documentation is outdated, I should be able to put the server's private key into ipsec.secrets (not NSS) even with LibreSwan: https://libreswan.org/man/ipsec.secrets.5.html
No. Putting private keys in ipsec.secrets has never been supported for libreswan. Early libreswan's still required the presence of the public key in the secrets file, but this is no longer needed (and ignored) as of libreswan v3.16 (released December 18, 2015) Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
