[Swan] RSA keys help

Kostya Vasilyev kman at fastmail.com
Wed Jan 23 14:27:05 UTC 2019


Were you exporting keys that are part of some certificates?

Yes this is possible (and importing too).

But in this case here I'm dealing with "standalone" keys - not keys which are part of certificates - and this does not seem possible.

I can't use certificate auth because of some issues on Mikrotik side (it seems to want "something" in subjectAltName but I can't figure out what... a Mikrotik forum post is pending moderation).

Any idea on the other options - such as generating keys with openssl and either importing into NSS as keys, or making LibreSwan use openssl key files, or converting openssl to DNS format and making LibreSwan use those as strings?

-- 
Kostya Vasilyev
kman at fastmail.com

On Wed, Jan 23, 2019, at 5:15 PM, Derek Cameron wrote:
> I was able to export both certificates and keys from NSS SQLite
> databases with commands such as:
> 
> pk12util -o test/client1.p12 -n "client1.example.com" -d sql:test
> 
> openssl pkcs12 -in test/client1.p12 -cacerts -nokeys -out test/client1.ca.pem
> 
> openssl pkcs12 -in test/client1.p12 -nocerts -nodes -out test/client1.key.pem
> 
> openssl pkcs12 -in test/client1.p12 -clcerts -nokeys -out test/client1.cert.pem
> 
> On Wed, Jan 23, 2019 at 6:03 AM Kostya Vasilyev <kman at fastmail.com> wrote:
> >
> > Hi,
> >
> > I'm trying to configure a LibreSwan  server  with a Mikrotik router client (GRE tunnel).
> >
> > Got it working with PSK auth, would like to switch to RSA key based auth.
> >
> > Have seen the wiki's, still have some questions.
> >
> > LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't have NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS format encoding?)
> >
> > It does understand SSH format keys (and I can convert them to / from P12) and of course I can use openssl to generate.
> >
> > I can think of these ways to set up my keys, but can't get any of them to work:
> >
> > Option 1:
> >
> > Generate both (server and client) keys on server side with NSS and somehow export them in SSH format, including 1) server's public key 2) client's public key 3) client's private key
> >
> > From what I've seen on the Internet, NSS cannot (by design) export private keys at all. Maybe this is wrong and there is a way?
> >
> > And if I could do this, how would I convert from RFC 3110 in NSS to openssl format for Mikrotik?
> >
> > Option 2:
> >
> > Generate both (server and client) keys separately with openssl and somehow import them into NSS on the server, including 1) server's public key 2) server's private key 3) client's public key.
> >
> > But as far as I can tell, NSS cannot import keys, only certificates (I mean pk12util -i ...) so that seems like a dead end too unless I'm missing something.
> >
> >  Option 3:
> >
> > Generate keys with openssl and somehow make LibreSwan use them directly from files, not from NSS.
> >
> > Is this possible? I understand from LibreSwan docs that NSS is the main method of configuring keys - but is it perhaps also possible to use SSH format key files (or SSH format key strings in settings)?
> >
> > Variation on 3:
> >
> > Directly specify keys in LibreSwan config (as strings) but I'd to convert my openssl keys (both public and private for the server, public for the client) into RFC 3110 format, and can't find a way to do this.
> >
> > I assume there is a solution to this, it has to be a frequent case where "the other side" is not also LibreSwan, but just can't find the right docs it seems.
> >
> > Help please?
> >
> > --
> > Kostya Vasilyev
> > kman at fastmail.com
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list