[Swan] Importing keypairs from keytool

Paul Wouters paul at nohats.ca
Thu Aug 18 19:07:02 UTC 2016 

Your pkcs12 file must include the CA certificate. Your NSS db doesn't show any CA. I assume your Java export was incomplete 

Sent from my iPhone

> On Aug 18, 2016, at 8:02 AM, Sowmini Varadhan <sowmini.varadhan at oracle.com> wrote:
> 
> 
> Hi,
> 
> I am trying to export (as a pkcs12 file) a keypair generated by
> java/keytool into NSS and use this for ipsec. I am following
> similar instructions for openssl documented in the libreswan wiki. 
> 
> I'm able to get the tunnels to load, but IKE auth does not converge:
> tcpdump reports (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED)
> 
> I suspect this may be because I am missing something in 
> /etc/ipsec.d/ipsec.secrets, I could use some hints about what I may
> be doing incorrectly.
> 
> Here's what I am doing:
> 
> With keytool generate a pkcs certificate on the right-node.
> e.g.,
> right# keytool -exportcert -keystore java/my.pkcs12 \
>        -storetype pkcs12 \
>        -validity 720 -v  -alias BDS \
>        -genkeypair -keyalg RSA -storepass $passwd -keypass $passwd
> 
> Now import this with ipsec:
> right# ipsec import java/my.pkcs12
> 
> Check that it is there:
> right#  certutil -L -d sql:/etc/ipsec.d
> 
>  Certificate Nickname                                       Trust Attributes
>                                                             SSL,S/MIME,JAR/XPI
> 
>  bds                                                        u,u,u
> 
> Modify the right-node config file for this tunnel:
> 
>  right# grep right /etc/ipsec.d/eth4.conf
>        rightid="CN=bds"
>        right=14.0.0.70
>        rightcert=bds
>        rightrsasigkey=%cert
> 
> On the left node, import the public key. First export it on the right node:
> 
>  right# certutil -L -n "bds" -d sql:/etc/ipsec.d/ -a > right.crt
> 
> Copy right.crt over to the left node, then 
>  left# certutil -A -i right.crt -n "bds" -t "C,C,C" -d /etc/ipsec.d
> 
> Left will report it as:
> 
>  left# certutil -L -d /etc/ipsec.d
> 
>  Certificate Nickname                                       Trust Attributes
>                                                             SSL,S/MIME,JAR/XPI
> 
>  bds                                                        C,C,C
> 
> Add the info the ipsec.d/*.conf:
> left# grep right /etc/ipsec.d/eth4.conf
>        right=14.0.0.70
>        rightid="CN=bds"
>        rightrsasigkey=%cert
> 
> Now restarting ipsec loads tunnels but ike does not complete the
> auth phase. Is something missing in some other /etc/ipsec.d config
> file to tell it to go look in sql:/etc/ipsec.d?
> 
> Thanks in advance for hints,
> 
> --Sowmini
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list