[Swan] Trying and failing with NSS

Paul Wouters paul at nohats.ca
Mon Dec 21 22:30:38 UTC 2015


On Mon, 21 Dec 2015, Nick Howitt wrote:

> I've just upgraded to 3.16 and I thought I'd have a go at IKEv2 on a road warrior but I'm stuck with the
> NSS/certificates bit. I'm trying to use information gleaned from the Wiki, and use certificates already

Note I updated that page recently to add the sql: prefix to all nss
commands using -d.

> generated on the server for the server and for OpenVPN. I deleted the old *.db and pkcs11.txt files in
> /etc/ipsec.d then did the following:
>       [root at server ipsec.d]# ipsec initnss
>       Initializing NSS database
>
>       [root at server ipsec.d]# certutil -L -d /etc/ipsec.d
>       certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an
>       old, unsupported format.

So that should be: certutil -L -d sql:/etc/ipsec.d

>       [root at server ipsec.d]# ipsec import /etc/pki/CA/server.p12
>       Enter password for PKCS12 file:
>       pk12util: no nickname for cert in PKCS12 file.
>       pk12util: using nickname: server.howitts.lan - ClearOS
>       pk12util: PKCS12 IMPORT SUCCESSFUL
>       correcting trust bits for ca.server.howitts.lan - ClearOS
>       [root at server ipsec.d]# certutil -L -d /etc/ipsec.d
>       certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an
>       old, unsupported format.

Same here.

Paul


More information about the Swan mailing list