[Swan-dev] nss vs newhostkey / showhostkey
Andrew Cagney
andrew.cagney at gmail.com
Mon Jun 20 19:04:59 UTC 2016
>> (I still can't see the point of certutil -G (other than provide a
>> reference implementation for rsasigkey)).
>
>
> It is probably just a tool that uses the nss libraries for the real
> work. We cannot use it instead of rsasigkey because nss-utils do
> not get FIPS certification unlike the nss library.
For reference, this is how things now work; since showhostkey takes a
CKAID it can even use a key generated from the above:
[root at east source]# ipsec showhostkey --list
< 1> RSA keyid: AwEAAdcO4 ckaid: dd13a62c0281633bad8bffa435b8762d67b1be43
[root at east source]# certutil -d sql:/etc/ipsec.d -G
[root at east source]# ipsec showhostkey --list
< 1> RSA keyid: AwEAAdcO4 ckaid: dd13a62c0281633bad8bffa435b8762d67b1be43
< 2> RSA keyid: AwEAAZ4R4 ckaid: 853abdb3d1d3fa098f65875256670a2dfa3dc513
[root at east source]# ipsec showhostkey --left --ckaid 853
# rsakey AwEAAZ4R4
leftrsasigkey=0sAwEAAZ4R4E3dLptXLNmGaKH9yQtvke9EM7VTStG96bKkUPphWIpjylW/YFf9/EOYwqCm9aUEYz8ZaoPm6V3qqsSl6FvO/MJJGPt2StPNoh6RrkKQrkNFR/e3iGMULKk7VCtx/yDDss9hqFnTeE0rSlJnInXoXBjNvzTYl3K1I6if7jgWWu0ibIS9KGgTcgVBRW+t7HBIVtatrsgKZRY1YaQ6RmnqgyRuyEOt1XzkYKwm4wSfbYy/dEPL91rNLsLAX1RUrlHrrVpCHVLjt5TVFwiXFp3BMz1OiAv/PWoRXDcw/ZsLhSBcA7pyHF0vmtBuhoRisjtDKYiuKE1waJoe8zMDytU=
More information about the Swan-dev
mailing list