[Swan] Certificate confusion (fwd)

John Crisp jcrisp at safeandsoundit.co.uk
Sun May 31 04:14:31 EEST 2015

> Certificate confusion
> Hi,
> I'm trying to move from using PSK authent to certificates.
> Have read the Libreswan/NSS howto but seem to be tripping up somewhere.
> Certificate hell :-)

Thank you for your kind responses. Paul, if I can sort this out I will
take you up on wiki access to do a page for numpties like me :-)

For all intents and purposes, the Endian box is 'left' and 'local' to
me. LibreSwan is 'right' and in the 'cloudy thing'.

I think the first thing I need to get straight in my head, and where I
am probably tripping up, is the use of certificates themselves.

I can see that they can be generated on LibreSwan, and that Endian can
create them too.

It seem that both ends can be a CA, and therefore issue certificates.

I can see that both can generate a PKCS12 .p12 which I believe contains
both the public and private key.

They can both generate a .pem which I believe is the public part of the key.

Now, I had wanted LibreSwan to be just in 'receive' mode - e.g. auto=add
with the Endian box making the connection.

Can someone please explain to me which bit of which cert should go where
please ?

Do both ends need both public and private parts of the same key, or do
they both generate their own private key and then exchange just the
public pem with each other ?

If so then how do I import the pem part only into Libreswan (I could add
the whole .p12 cert from Endian but I believe that really the private
key should not leave that box ?)

I tried to export the pem part from Endian and import to Libre Swan as
follows but it errored

[root at test certs]# ipsec import Endian.pem
Enter password for PKCS12 file:
pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library:
improperly formatted DER-encoded message.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security
library: improperly formatted DER-encoded message.

I seem to be able to generate/export/import a PKCS12 .p12 certificate at
each end.

Another alternative is I can use something like PHPKI as the CA and
generate certs with that, but again, which bit goes where ? :-) Do I
generate a cert for each end and install both on each end ?

A simple explanation for a simpleton would be gratefully received !

Sorry if it seems so obvious - I'll probably think it is too once I get
my head round it !

B. Rgds

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150531/38739ab7/attachment.sig>

More information about the Swan mailing list