[Swan-dev] Delete an RSA key from NSS
Paul Wouters
paul at nohats.ca
Tue Oct 23 10:29:06 UTC 2018
On Tue, 23 Oct 2018, Cesare Leonardi wrote:
> I'm new to libreswan and while reading documentation and doing some tests, I
> observed that ipsec command permit to initialize an NSS database, to create a
> key, to show stored keys but, surprisingly, not to delete keys. Then I
> searched how to do it but was not so simple and I discovered that certutil
> learned only recently (version 3.39) to delete keys:
> https://bugzilla.mozilla.org/show_bug.cgi?id=291383
>
> I guess this is the reason why also libreswan lacked this functionality until
> now, so I'm writing here in case you didn't know about this new certutil
> feature.
>
> It would be good if one day we can use something like:
> ipsec delhostkey --ckaid CKAID
>
> Without having to search for the equivalent:
> certutil -F -k CKAID -d /var/lib/ipsec/nss/
I agree this functionality should be added. Since it is a simple
translation between "ipsec" commands and "certutil" commands, the
best place would be to add this directly into the ipsec command
without creating a helper command (like we do for showhostkey).
It should only need a small patch to programs/ipsec/ipsec.in
Paul
More information about the Swan-dev
mailing list