[Swan] RSA keys help
kman at fastmail.com
Wed Jan 23 18:24:23 UTC 2019
On Wed, Jan 23, 2019, at 9:06 PM, Paul Wouters wrote:
> On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
> > Were you exporting keys that are part of some certificates?
> > Yes this is possible (and importing too).
> > But in this case here I'm dealing with "standalone" keys - not keys which are part of certificates - and this does not seem possible.
> You can use certutil -d sql:/etc/ipsec.d -K to list all the raw keys,
> even those that came in via pkcs#12 imports. that lists the ckaid,
> which you can use to load the key, eg leftckaid=.....
> But a CKAID is not a public key format that the other endpoint can use,
> so to get the public key in base64 format, you can use:
> ipsec showhostkey --left --ckaid ....
Right but that's raw format again - which Mikrotik can't use and I can't find a tool that would convert raw to openssl...
Which is weird since in my world (your basic software developer, ssh to servers, that sort of thing) - openssl key format is much more common...
> > I can't use certificate auth because of some issues on Mikrotik side (it seems to want "something" in subjectAltName but I can't figure out what... a Mikrotik forum post is pending moderation).
> Whatever the IDs used in IKE are, those should appear as SubjectAltName
> in the certificate. So if your firstname.lastname@example.org you need a DNS:foo.bar
> SAN. Same goes for not using any leftid= which means it is using its IP
> address as ID, so you need an IP:a.b.c.d SAN.
> The only exception is if you are using a Distinguished Name (DN) as ID.
> In that case, the DN of the certificate is matched as a whole to the ID.
Thanks for the tips, tried both DNS and IP extensions already. The Mikrotik either complaints that it "cannot get subjectAltName" or "can't parse ph2 packet" - which is terribly cryptic. It does not complain about ID mismatches. I'm still hoping to get help on their forums.
Anyway, thanks for confirming my findings - I mean using a certificate as an "exchange medium" to distribute the keys.
It would be nice if NSS supported importing / exporting openssl *keys* directly, including private keys, to make key management easier, but I understand it's an external (to libreswan) piece of software.
I also understand that "real" cert based auth is more common (or else people probably contend with PSK...)
More information about the Swan