[Swan] RSA keys help

Paul Wouters paul at nohats.ca
Wed Jan 23 19:14:52 UTC 2019 

On Wed, 23 Jan 2019, Kostya Vasilyev wrote:

> p12 would be fine - since that opens up a way to exchange with other formats.
>
> But right now importing or exporting to/from NSS seems to be limited to *certificates* not keys...

import and export work fine.

[root at thinkpad tmp]# certutil -L -d sql:/etc/ipsec.d
Certificate Nickname                                         Trust
Attributes
                                                              SSL,S/MIME,JAR/XPI

letoams.nohats.ca                                            u,u,u
Certificate Agency (CA) - No Hats Corporation                CT,, 
pwouters.nohats.ca                                           u,u,u
Certificate Agency (CA) - NetDev                             CT,, 
strongWest                                                   u,u,u
strongSwan CA - strongSwan                                   CT,,

[root at thinkpad tmp]# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      2ad438fc7f3b65706f0381520f9f106a9eba7a96 letoams.nohats.ca
< 1> rsa      12fad02b4cfdd324049101ed1e79d5066cfc965d   (orphan)
< 2> rsa      1d20a472e6e75c7cee710e7304b7b10223cc8ab9 pwouters.nohats.ca
< 3> rsa      b9d591b99433b94ccc27af7f19235fe0e01b9214   (orphan)
< 4> ec       38ccad88c730f0cad273369617d2df83ecee02ae   strongWest

[root at thinkpad tmp]# pk12util -o test.p12 -d sql:/etc/ipsec.d -W password -n pwouters.nohats.ca 
pk12util: PKCS12 EXPORT SUCCESSFUL

[root at thinkpad tmp]# ls -l test.p12
-rw------- 1 root root 3907 Jan 23 14:11 test.p12
[root at thinkpad tmp]# mkdir /tmp/test
[root at thinkpad tmp]# ipsec initnss --nssdir /tmp/test
Initializing NSS database

[root at thinkpad tmp]# ipsec import --nssdir /tmp/test test.p12
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
correcting trust bits for Certificate Agency (CA) - NetDev
[root at thinkpad tmp]# certutil -L -d sql:/tmp/test

Certificate Nickname                                         Trust
Attributes
                                                              SSL,S/MIME,JAR/XPI

pwouters.nohats.ca                                           u,u,u
Certificate Agency (CA) - NetDev                             CT,, 
[root at thinkpad tmp]# certutil -K -d sql:/tmp/test
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa      1d20a472e6e75c7cee710e7304b7b10223cc8ab9 pwouters.nohats.ca

More information about the Swan mailing list