[Swan] Importing keypairs from keytool
Paul Wouters
paul at nohats.ca
Thu Aug 18 19:07:02 UTC 2016
Your pkcs12 file must include the CA certificate. Your NSS db doesn't show any CA. I assume your Java export was incomplete
Sent from my iPhone
> On Aug 18, 2016, at 8:02 AM, Sowmini Varadhan <sowmini.varadhan at oracle.com> wrote:
>
>
> Hi,
>
> I am trying to export (as a pkcs12 file) a keypair generated by
> java/keytool into NSS and use this for ipsec. I am following
> similar instructions for openssl documented in the libreswan wiki.
>
> I'm able to get the tunnels to load, but IKE auth does not converge:
> tcpdump reports (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED)
>
> I suspect this may be because I am missing something in
> /etc/ipsec.d/ipsec.secrets, I could use some hints about what I may
> be doing incorrectly.
>
> Here's what I am doing:
>
> With keytool generate a pkcs certificate on the right-node.
> e.g.,
> right# keytool -exportcert -keystore java/my.pkcs12 \
> -storetype pkcs12 \
> -validity 720 -v -alias BDS \
> -genkeypair -keyalg RSA -storepass $passwd -keypass $passwd
>
> Now import this with ipsec:
> right# ipsec import java/my.pkcs12
>
> Check that it is there:
> right# certutil -L -d sql:/etc/ipsec.d
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> bds u,u,u
>
> Modify the right-node config file for this tunnel:
>
> right# grep right /etc/ipsec.d/eth4.conf
> rightid="CN=bds"
> right=14.0.0.70
> rightcert=bds
> rightrsasigkey=%cert
>
> On the left node, import the public key. First export it on the right node:
>
> right# certutil -L -n "bds" -d sql:/etc/ipsec.d/ -a > right.crt
>
> Copy right.crt over to the left node, then
> left# certutil -A -i right.crt -n "bds" -t "C,C,C" -d /etc/ipsec.d
>
> Left will report it as:
>
> left# certutil -L -d /etc/ipsec.d
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> bds C,C,C
>
> Add the info the ipsec.d/*.conf:
> left# grep right /etc/ipsec.d/eth4.conf
> right=14.0.0.70
> rightid="CN=bds"
> rightrsasigkey=%cert
>
> Now restarting ipsec loads tunnels but ike does not complete the
> auth phase. Is something missing in some other /etc/ipsec.d config
> file to tell it to go look in sql:/etc/ipsec.d?
>
> Thanks in advance for hints,
>
> --Sowmini
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list