[Swan] pluto doesn't reread certfificates

Paul Wouters paul at nohats.ca
Mon Sep 14 13:31:06 UTC 2015


On Mon, 14 Sep 2015, Peter Bendel wrote:

> Certificates have a validity and expire when the validity is expired.
> 
> Thus in a production IPsec implementation it is necessary to replace the certificates close to the expiration date.
> 
> For production servers it is a problem if ipsec service needs to be restarted to pick up new certificates from the
> nss database.
> 
> In the following two topics it is mentioned that it is a current limitation that to re-read the NSS SQlite db the
> ipsec service needs to be restarted.
> 
> https://lists.libreswan.org/pipermail/swan/2014/000924.html
> https://lists.libreswan.org/pipermail/swan/2014/000924.html
> 
> It was mentioned by Paul that Matt is working on a solution (Oct. 2014).
> However I didn't find any mention in the changelog that this limitation is already adressed.

This was addressed in 3.14 when we moved from the NSS db to the sql
format. You are able to import the certificate on a running system.

Paul


More information about the Swan mailing list