[Swan] Importing keypairs from keytool

Paul Wouters paul at nohats.ca
Fri Aug 19 16:53:28 UTC 2016

On Fri, 19 Aug 2016, Sowmini Varadhan wrote:

> Now, when I run
>  # openssl pkcs12 -in java/boo.pkcs12 -nodes -passin  pass:$passwd

You need:

openssl pkcs12 -export -out cert.p123 -inkey privateKey.key -in certificate.crt -certfile CACert.crt

You seem to be using a pkcs12 file as import, and only removing the
password from it. So it all depends if your java/boo.pkcs12 contains
the right items. I assume not.

> I see that the output has both a PRIVATE KEY and a CERTIFICATE section.
> I'm able to do "ipesc import boo.pkcs12", and follow the rest
> of the commands from my email (including populating ipsec.secrets) but
> the tunnel is still not activated.
> Should I be copying the *.cert somewhere (where?). How (what command)
> did you determine that the NSS db doesnt show a CA?

certutil -L -d sql:/etc/ipsec.d

(or on older versions: certutil -L -d etc/ipsec.d)

It should show 1x cert plus 1x CA cert. The CA cert you can see has the
"CT,," trust bits set.


More information about the Swan mailing list