[Swan] Key pair generation failed: "-8037"
Greg Scott
GregScott at infrasupport.com
Fri Jun 28 13:13:57 EEST 2013
Looks like this old trick documented in the link below is still good:
http://comments.gmane.org/gmane.network.openswan.user/17219
Create the NSS database first like this:
certutil -N -d /etc/ipsec.d
and then ipsec newhosthey runs to completion.
[root at NSSSS2013-fw ipsec.d]# ls
cacerts crls hq-ipsec.conf policies sites.conf
[root at NSSSS2013-fw ipsec.d]# certutil -N -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root at NSSSS2013-fw ipsec.d]#
[root at NSSSS2013-fw ipsec.d]# ls
cacerts cert8.db crls hq-ipsec.conf key3.db policies secmod.db sites.conf
[root at NSSSS2013-fw ipsec.d]# ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets --verbose --hostname NSSSS2013-fw --password p at ssword
getting 60 random bytes from /dev/random...
Generated RSA key pair using the NSS database
output...
[root at NSSSS2013-fw ipsec.d]# ls
cacerts cert8.db crls hostkey.secrets hq-ipsec.conf key3.db policies secmod.db sites.conf
[root at NSSSS2013-fw ipsec.d]# more hostkey.secrets
: RSA {
# RSA 2192 bits NSSSS2013-fw Fri Jun 28 05:04:18 2013
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQO...lotsOfDigits...uSfE87
Modulus: 0xac...LotsOfDigits...8b4d1ac7
PublicExponent: 0x03
# everything after this point is CKA_ID in hex formati - not the real values
PrivateExponent: 0x8...7c
Prime1: 0x85...8b7c
Prime2: 0x85...8b7c
Exponent1: 0x85...b7c
Exponent2: 0x8...b7c
Coefficient: 0x8...7c
CKAIDNSS: 0x85...b7c
}
# do not change the indenting of that "}"
[root at NSSSS2013-fw ipsec.d]#
- Greg
More information about the Swan
mailing list