[Swan] RSA keys help

Kostya Vasilyev kman at fastmail.com
Wed Jan 23 14:50:38 UTC 2019


Re: keys only auth

I'm following this guide:

https://libreswan.org/wiki/Host_to_host_VPN

Which is under:

https://libreswan.org/wiki/Configuration_examples

As you can see it uses NSS for key generation and storage.

I actually got rsa key auth to work with StrongSwan but it seems less stable than Libre (was dropping connections and slow to re-establish).

Yes I know the syntax for adding alt subject names, thanks. The problem is Mikrotik wants something specific there (from server cert) and I can't figure out what, it seems undocumented. Some people say it wants an email address (any email address) but that didn't work.

Anyway to keep from straying too far...

...has anyone used rsa key *only* auth with Libre where the other side was a different system (not Libre)? How did you manage your keys?

Any suggestions on keys management?

-- 
Kostya Vasilyev
kman at fastmail.com

On Wed, Jan 23, 2019, at 5:41 PM, Derek Cameron wrote:
> Yes, my use case included both the certificate and the private key for
> the client. I have never heard of authentication with only a key and
> no certificate, except in the case of a preshared key (PSK). I added
> the subjectAltName to the client certificate with the -8 switch. e.g.
> 
> certutil -S -c "ExampleCA" -n "client1.example.com" -s
> "O=Example,CN=client1.example.com" -k rsa -v 12 -d sql:test -t ",," -1
> -6 -8 "client1.example.com"
> 
> On Wed, Jan 23, 2019 at 6:27 AM Kostya Vasilyev <kman at fastmail.com> wrote:
> >
> > Were you exporting keys that are part of some certificates?


More information about the Swan mailing list