[Swan] libreswan inside local network with NAT (left) - MacOS roadwarrior (right)

Rodrigo Gruppelli grupis at gmail.com
Fri Nov 4 19:48:15 EET 2022


Paul, thanks for your answer.

Em sex., 4 de nov. de 2022 às 06:53, Paul Wouters <paul at nohats.ca> escreveu:

> ...
> > - certificate authentication: then it shows 2 certificates to choose:
> com.apple.systemdefault and com.apple.kerberos.kdc ....
>
> Yes, it should show your certificate if you imported it as PKCS#12. If
> it does not show up, it likely is missing a proper SAN FQDN setting on
> the certificate.
>

I couldn't import the p12 file into MacOS. When importing it, mac's
Keychain Access asks for the password of the .p12 file, even though I
didn't set any password in the certificate generation steps (just pressed
<enter>). Or even if I set some password, it still doesn't accept it,
saying 'wrong password'. Any clues on that? What would be this "proper SAN
FQDN setting" ?

To create the certificate, I followed these steps:

# Create database
mkdir $HOME/tmpdb
certutil -N -d sql:${HOME}/tmpdb

# Create CA
certutil -S -x -n "Gruppelli CA" -s "O=Gruppelli,CN=Gruppelli CA" -k rsa -g
4096 -v 12 -d sql:${HOME}/tmpdb -t "CT,," -2

# Create Server Certificate
certutil -S -c "Gruppelli CA" -n "gruppelli" -s "O=Gruppelli,CN=gruppelli"
-k rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "gruppelli"

# Create Client Certificate
certutil -S -c "Gruppelli CA" -n "mac" -s "O=Gruppelli,CN=mac" -k rsa -g
4096 -v 12 -d sql:${HOME}/tmpdb -t ",," -1 -6 -8 "mac"

# Export client p12 files
pk12util -o /home/rodrigo/mac.p12 -n "mac" -d sql:${HOME}/tmpdb/

Important to notice that the Libreswan server is Ubuntu 22.04 and client is
macOS High Sierra 10.13.6 (little bit old but still kickin')

 Cheers
Rodrigo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221104/c8639bc1/attachment.htm>


More information about the Swan mailing list