On Wed, Jan 23, 2019, at 9:06 PM, Paul Wouters wrote: > On Wed, 23 Jan 2019, Kostya Vasilyev wrote: > > > Were you exporting keys that are part of some certificates? > > > > Yes this is possible (and importing too). > > > > But in this case here I'm dealing with "standalone" keys - not keys which > > are part of certificates - and this does not seem possible. > > You can use certutil -d sql:/etc/ipsec.d -K to list all the raw keys, > even those that came in via pkcs#12 imports. that lists the ckaid, > which you can use to load the key, eg leftckaid=..... > > But a CKAID is not a public key format that the other endpoint can use, > so to get the public key in base64 format, you can use: > ipsec showhostkey --left --ckaid ....
Right but that's raw format again - which Mikrotik can't use and I can't find a tool that would convert raw to openssl... Which is weird since in my world (your basic software developer, ssh to servers, that sort of thing) - openssl key format is much more common... > > I can't use certificate auth because of some issues on Mikrotik side (it > > seems to want "something" in subjectAltName but I can't figure out what... > > a Mikrotik forum post is pending moderation). > > Whatever the IDs used in IKE are, those should appear as SubjectAltName > in the certificate. So if your [email protected] you need a DNS:foo.bar > SAN. Same goes for not using any leftid= which means it is using its IP > address as ID, so you need an IP:a.b.c.d SAN. > > The only exception is if you are using a Distinguished Name (DN) as ID. > In that case, the DN of the certificate is matched as a whole to the ID. Thanks for the tips, tried both DNS and IP extensions already. The Mikrotik either complaints that it "cannot get subjectAltName" or "can't parse ph2 packet" - which is terribly cryptic. It does not complain about ID mismatches. I'm still hoping to get help on their forums. Anyway, thanks for confirming my findings - I mean using a certificate as an "exchange medium" to distribute the keys. It would be nice if NSS supported importing / exporting openssl *keys* directly, including private keys, to make key management easier, but I understand it's an external (to libreswan) piece of software. I also understand that "real" cert based auth is more common (or else people probably contend with PSK...) Thanks again! -- K _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
