[Swan] Importing keypairs from keytool

Sowmini Varadhan sowmini.varadhan at oracle.com
Fri Aug 19 14:52:00 UTC 2016

On (08/18/16 15:07), Paul Wouters wrote:
> Your pkcs12 file must include the CA certificate. Your NSS db doesn't
> show any CA. I assume your Java export was incomplete

After you pointed this out, I tried the following set of commands

  # keytool -genkeypair [...] -keystore java/boo.pkcs12
  # keytool -exportcert [...] -keystore java/boo.pkcs12 -file java/boo.cert

Now, when I run 
  # openssl pkcs12 -in java/boo.pkcs12 -nodes -passin  pass:$passwd
I see that the output has both a PRIVATE KEY and a CERTIFICATE section.
I'm able to do "ipesc import boo.pkcs12", and follow the rest
of the commands from my email (including populating ipsec.secrets) but
the tunnel is still not activated.

Should I be copying the *.cert somewhere (where?). How (what command)
did you determine that the NSS db doesnt show a CA?


More information about the Swan mailing list