[Swan] Importing keypairs from keytool
Paul Wouters
paul at nohats.ca
Fri Aug 19 16:53:28 UTC 2016
On Fri, 19 Aug 2016, Sowmini Varadhan wrote:
> Now, when I run
> # openssl pkcs12 -in java/boo.pkcs12 -nodes -passin pass:$passwd
You need:
openssl pkcs12 -export -out cert.p123 -inkey privateKey.key -in certificate.crt -certfile CACert.crt
You seem to be using a pkcs12 file as import, and only removing the
password from it. So it all depends if your java/boo.pkcs12 contains
the right items. I assume not.
> I see that the output has both a PRIVATE KEY and a CERTIFICATE section.
> I'm able to do "ipesc import boo.pkcs12", and follow the rest
> of the commands from my email (including populating ipsec.secrets) but
> the tunnel is still not activated.
>
> Should I be copying the *.cert somewhere (where?). How (what command)
> did you determine that the NSS db doesnt show a CA?
certutil -L -d sql:/etc/ipsec.d
(or on older versions: certutil -L -d etc/ipsec.d)
It should show 1x cert plus 1x CA cert. The CA cert you can see has the
"CT,," trust bits set.
Paul
More information about the Swan
mailing list