[Swan] Adding host to subnet VPN
Paul Wouters
paul at nohats.ca
Mon Feb 22 13:44:20 UTC 2016
On Mon, 22 Feb 2016, Nick Howitt wrote:
> Don't you now need a different form of the certutil command for the nss
> database? (sql:/etc/ipsec.d instead of etc/ipsec.d)
For libreswan-3.16 and above, yes.
Alex was running the old db format because his certutil command without
the sql: prefix worked fine.
Paul
> Nick
>
>
>
> On 2016-02-22 02:05, Paul Wouters wrote:
>> On Sun, 21 Feb 2016, Alex wrote:
>>
>> > Can I just leave out the subnet declarations where they're not
>> > necessary?
>>
>> Yes.
>>
>> > Also, when I try to use my existing CA to create another cert for the
>> > new host, it's unable to find it:
>> >
>> > # certutil -L -d /etc/ipsec.d
>> >
>> > Certificate Nickname Trust
>> > Attributes
>> > SSL,S/MIME,JAR/XPI
>> >
>> > cyclops u,u,u
>> > DGHQ Authority - MyCompany Inc ,,
>> > orion u,u,u
>> >
>> > # certutil -S -k rsa -c "DGHQ Authority - MyCompany Inc" -n "arcade"
>> > -s "CN=MyCompany Inc" -v 12 -t "u,u,u" -d /etc/ipsec.d
>> > ...
>> > certutil: unable to retrieve key DGHQ Authority - MyCompany Inc:
>> > SEC_ERROR_NO_KEY: The private key for this certificate cannot be found
>> > in key database
>> > certutil: unable to create cert (The private key for this certificate
>> > cannot be found in key database)
>> >
>> > Did I somehow screw up the process of creating the CA in the first
>> > place?
>>
>> possibly. The easist is to create a PKCS#12 file and run "ipsec import
>> file.p12"
>>
>> Paul
>> > Thanks,
>> > Alex
>> >
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
>
More information about the Swan
mailing list