[Swan] Adding host to subnet VPN
Nick Howitt
nick at howitts.co.uk
Mon Feb 22 08:25:35 UTC 2016
Don't you now need a different form of the certutil command for the nss
database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
Nick
On 2016-02-22 02:05, Paul Wouters wrote:
> On Sun, 21 Feb 2016, Alex wrote:
>
>> Can I just leave out the subnet declarations where they're not
>> necessary?
>
> Yes.
>
>> Also, when I try to use my existing CA to create another cert for the
>> new host, it's unable to find it:
>>
>> # certutil -L -d /etc/ipsec.d
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> cyclops u,u,u
>> DGHQ Authority - MyCompany Inc ,,
>> orion u,u,u
>>
>> # certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
>> -s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
>> ...
>> certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
>> SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
>> in key database
>> certutil: unable to create cert (The private key for this certificate
>> cannot be found in key database)
>>
>> Did I somehow screw up the process of creating the CA in the first
>> place?
>
> possibly. The easist is to create a PKCS#12 file and run "ipsec import
> file.p12"
>
> Paul
>> Thanks,
>> Alex
>>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list