On Fri, 27 Oct 2023, William Atwood wrote:
I have one host that I will use to contain the CA, called Tarjan.
I have 10 other hosts, which will be members of the group overseen by this
CA. One of these is Perlis.
Tarjan first creates a Certificate Authority.
Tarjan (as CA) then creates a certificate for itself (as host).
As long as the CA Common Name is not identical to the host Common Name
certificate.
Detailed instructions are given for exporting the CA certificate from Tarjan,
either as a .p12 file or as a .crt file, and then installing it in NSS on
Perlis.
However, I can find no example of exporting a host certificate from NSS on
Tarjan to copy into NSS on Perlis.
Why would you want to do that?
You can generate all the certificates and keys on Tarjan, then create
pkcs#12 exports for the 10 hosts, and import those p12 files on each
host. That would be the common way of doing this. You _could_ go the way
of doing a CSR on each host and copying that to the Tarjan CA to sign,
but that seems overly complicated for this use case.
Clearly, I could import the .p12 file for the CA, including the private key,
and then Perlis could then generate its own host certificate, by pretending
to be the CA, but this seems very undesirable from a security perspective.
no need to do that.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
