[Swan] RSA keys help

Paul Wouters paul at nohats.ca
Wed Jan 23 18:00:52 UTC 2019

On Wed, 23 Jan 2019, Kostya Vasilyev wrote:

> I'm trying to configure a LibreSwan  server  with a Mikrotik router client (GRE tunnel).

nit pick, it is libreswan, no upper case S please :)

> Got it working with PSK auth, would like to switch to RSA key based auth.
> Have seen the wiki's, still have some questions.
> LibreSwan uses NSS for key storage - which is fine but Mikrotik doesn't have NSS to generate the keys nor understands NSS format (RFC 3110? aka DNS format encoding?)

Does your Mikrotik support raw RSA keys? Likely not, in which case the
path to go is certificates. You can generate them with whatever tool
you want, as long as you end up with two PKCS#12 formatted certificate
bundles. These .p12 files contain a private key, public cert and CA
cert. You can import a .p12 file using "ipsec import file.p12".

The "nickname" of the certificate is used to load it into the
connection, eg leftcert=nickname

You can use certutil -L -dd sql:/etc/ipsec.d to list the NSS database
content and find the nickname if you do not know it.

> It does understand SSH format keys (and I can convert them to / from P12) and of course I can use openssl to generate.

So use p12 and convert as needed on the Mikrotik.

> Generate both (server and client) keys on server side with NSS and somehow export them in SSH format, including 1) server's public key 2) client's public key 3) client's private key
>> From what I've seen on the Internet, NSS cannot (by design) export private keys at all. Maybe this is wrong and there is a way?

You can export p12 files using NSS pk12util.

> Generate both (server and client) keys separately with openssl and somehow import them into NSS on the server, including 1) server's public key 2) server's private key 3) client's public key.
> But as far as I can tell, NSS cannot import keys, only certificates (I mean pk12util -i ...) so that seems like a dead end too unless I'm missing something.

You can use openssl to create a p12 file from key+cert+CAcert using
openssl pkcs12 -export .....

> Option 3:
> Generate keys with openssl and somehow make LibreSwan use them directly from files, not from NSS.

That is not an option. libreswan does not read or parse files or have
native support for pkcs#11 for hardware tokens. It all goes via NSS.

> Directly specify keys in LibreSwan config (as strings) but I'd to convert my openssl keys (both public and private for the server, public for the client) into RFC 3110 format, and can't find a way to do this.

You cannot. private keys must be inside the NSS database.


More information about the Swan mailing list