[Swan] RSA keys help

Paul Wouters paul at nohats.ca
Wed Jan 23 18:14:43 UTC 2019

On Wed, 23 Jan 2019, Kostya Vasilyev wrote:

> ipsec-tools has a utility called plainrsa-gen which can generate RFC 3110 format keys.
> Output looks like this (this is a 512 bit key for brevity):
> # : PUB 0sAQPBu6FSgczYJ5jjqE4rQj1m2PIC2oiHL4h6VhicQRP3xQ==
> : RSA	{
> 	# RSA 256 bits
> 	# pubkey=0sAQPBu6FSgczYJ5jjqE4rQj1m2PIC2oiHL4h6VhicQRP3xQ==
> 	Modulus: 0xc1bba15281ccd82798e3a84e2b423d66d8f202da88872f887a56189c4113f7c5
> 	PublicExponent: 0x03
> 	PrivateExponent: 0x8127c0e1abdde56fbb4270341cd6d398bd0376dfa632f2f89b0118b27d89edeb
> 	Prime1: 0xe1006e0fedd5b3ceeb23d3af2552cd5d
> 	Prime2: 0xdc6c627b21650f44a6b09fe15f724589
> 	Exponent1: 0x9600495ff3e3cd349cc28d1f6e373393
> 	Exponent2: 0x92f2ec5216435f8319cb1540ea4c2e5b
> 	Coefficient: 0xcbfd904423e9e83f8363823d512e9b87
>  }

These are no longer needed for libreswan, but if having this format is
useful to use, you can run: ipsec newhostkey --output /etc/ipsec.secrets
and you will see the private key in NSS and the public key in

> On my Fedora home system, it can also import from openssl private / public format key files (not on Debian where I have LibreSwan but that doesn't matter I can do the conversion on Fedora).
> And unless this documentation is outdated, I should be able to put the server's private key into ipsec.secrets (not NSS) even with LibreSwan:
> https://libreswan.org/man/ipsec.secrets.5.html

No. Putting private keys in ipsec.secrets has never been supported for
libreswan. Early libreswan's still required the presence of the public
key in the secrets file, but this is no longer needed (and ignored) as
of libreswan v3.16 (released December 18, 2015)


More information about the Swan mailing list