[Swan-dev] nss vs newhostkey / showhostkey
Andrew Cagney
andrew.cagney at gmail.com
Wed May 25 18:58:11 UTC 2016
On 25 May 2016 at 13:33, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 25 May 2016, Andrew Cagney wrote:
>
>> Ok. I think I'm getting to the right head space. The dogma is
>> s/ipsec.secrets/ipsec.d/. I.e., where as before it would meddle with
>> /etc/ipsec.secrets, it now meddles with /etc/ipsec.d.
>
>
> Right. well NSS db to be exact.
>
>> In the case of newhostkey (a quick look at the man page shows it very
>> out-of-date):
>>
>> [ --configdir <nssdbdir> ] the directory containing the NSS DB, by
>> default "/etc/ipsec.d" (some make variable)
>> --password <password> the password for accessing the NSS DB, if
>> required, should this be required. Nice to have is slurping the
>> password out of /etc/ipsec.secrets
>
>
> The nss passwd can be stored in /etc/ipsec.d/nsspasswd.
>
>> and:
>>
>> --output <ipsec.secrets> is either optional or gone and appending to
>> /etc/ipsec.secrets is not the default
>
>
> It should be removed when newhostkey no longer touches ipsec.secrets or
> its includes.
?
So for now don't touch is the default.
>> (a way to dump the certificate into a file would be nice to have, mind)
>
>
> Yes. There is probably a certutil way?
Queue the dance of the self-signed certificates.
I suspect the correct way is to create the certificate at the same
time as the key-pair (like certutil -S).
>> so provided /etc/ipsec.d (and perhaps /etc/ipsec.secrets) are set up then:
>>
>> ipsec newhostkey
>>
>> will add a key to the NSS DB. I suspect it, in addition to:
>>
>> [root at east nss-cert-ocsp-07-nourl]# ipsec newhostkey
>> Generated RSA key pair was stored in the NSS database
>>
>> it should print information that identifies the generated key.
>
>
> Yes. It would be nice if we could still give it an identifier and log
> that into NSS for the key, similar to the "friendly_name" of
> certificates. But I do not know if nss supports that.
Looks like it. For instance, if I remove east's certificate vis:
certutil -D -n east -d ...
I can still list "east"s key-pair vis:
certutil -K -n east ...
>>> root at thinkpad:/etc/ipsec.d# certutil -K -d sql:/etc/ipsec.d
>>> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
>>> Key and Certificate Services"
>>> < 0> rsa 825c07463fabbe48abbc9d6b25e72be7329fd77d (orphan)
>>> < 1> rsa e413910e49698e8611cb0ca9fdc194689abbf002 (orphan)
>>
>>
>> And showhostkey will print the public bits in various formats.
>>
>>> except we want to also display any potential friendly_name, and the
>>> pubkey blob as well. (the blob displayed now is ckaid)
>>
>>
>> It seems that the current friendly name is "(orphan)" aka NULL. I
>> guess, without --id (or ckaid or nickname?), it should list "orphans"
>> on the assumption that they are host keys.
>
>
> If we can set those to something specified, that would be great. Like
> FQDN per default?
The --hostname option to rsasigkey? Currently that is used for little
more than to print the domain name in a comment. It could be used as
a nickname though.
I think --nickname would be better option -- nss calls them nicknames
-- perhaps default to hostname).
More information about the Swan-dev
mailing list