[Swan-dev] Delete an RSA key from NSS

Paul Wouters paul at nohats.ca
Tue Oct 23 10:29:06 UTC 2018

On Tue, 23 Oct 2018, Cesare Leonardi wrote:

> I'm new to libreswan and while reading documentation and doing some tests, I 
> observed that ipsec command permit to initialize an NSS database, to create a 
> key, to show stored keys but, surprisingly, not to delete keys. Then I 
> searched how to do it but was not so simple and I discovered that certutil 
> learned only recently (version 3.39) to delete keys:
> https://bugzilla.mozilla.org/show_bug.cgi?id=291383
> I guess this is the reason why also libreswan lacked this functionality until 
> now, so I'm writing here in case you didn't know about this new certutil 
> feature.
> It would be good if one day we can use something like:
> ipsec delhostkey --ckaid CKAID
> Without having to search for the equivalent:
> certutil -F -k CKAID -d /var/lib/ipsec/nss/

I agree this functionality should be added. Since it is a simple
translation between "ipsec" commands and "certutil" commands, the
best place would be to add this directly into the ipsec command
without creating a helper command (like we do for showhostkey).

It should only need a small patch to programs/ipsec/ipsec.in


More information about the Swan-dev mailing list