[Swan-dev] Delete an RSA key from NSS

Cesare Leonardi celeonar at gmail.com
Mon Oct 22 23:26:39 UTC 2018

I'm new to libreswan and while reading documentation and doing some 
tests, I observed that ipsec command permit to initialize an NSS 
database, to create a key, to show stored keys but, surprisingly, not to 
delete keys. Then I searched how to do it but was not so simple and I 
discovered that certutil learned only recently (version 3.39) to delete 

I guess this is the reason why also libreswan lacked this functionality 
until now, so I'm writing here in case you didn't know about this new 
certutil feature.

It would be good if one day we can use something like:
ipsec delhostkey --ckaid CKAID

Without having to search for the equivalent:
certutil -F -k CKAID -d /var/lib/ipsec/nss/


More information about the Swan-dev mailing list