[Swan-dev] How to specify a CKAID in the config file
Andrew Cagney
andrew.cagney at gmail.com
Thu Apr 28 01:24:12 UTC 2016
If you type:
# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa 22169af2dd143838caa67837bcfede1fde5d4e2a east
the middle hex is the CKAID for the key-pair "east" (as an aside, I've
yet to figure out how to dump the CKAID of a certificate from the
command line). Since it is derived from the public key, it can be
used to identify a certificate (the sane way is to use the nickname -
"east" - but we're not being sane).
My question is; how to specify this in the config file and on the
whack command line?
For the moment I've got:
leftrsasigkey=%ckaid
leftcert=22169af2dd143838caa67837bcfede1fde5d4e2a
and:
whack .. --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a ...
I think whack is ok (For the moment <<whack --dnsondemand --cert west
--ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a --cert east --ckaid
22169af2dd143838caa67837bcfede1fde5d4e2a>> is reduced to <<whack
--dnsondemand --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a>> which
doesn't seem too bad).
I'm not so sure about the config file; in part because I'm suspicious
of the existing behaviour. For instance, I suspect:
- leftrsasigkey=%dnsondemand leftcert=east
still loads "east"
- leftrsasigkey=<raw-cert> leftrsasigkey2=%dnsondemand
leads to leftrsasigkey2 being ignored
- and come ECC, having something like "rsasigkey=%cert" will be decidedly weird.
- I'm pretty sure leftcert=%dnsondemand wasn't implemented because
"%dnsondemand" is a valid alias (nickname)
So?
Off hand I can think of:
- the above - it seems to work :-)
- leftckaid=.. but then what happens when it is mixed with leftcert=
et.al. - the parser doesn't track which one came first/last
- leftpubkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a or
leftpubkey=%dnsondemand or leftpubkey=%cert:east or ...?
- leftrsasigkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a
- or ...
Andrew
More information about the Swan-dev
mailing list