<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <br>
    <div class="moz-cite-prefix">On 21/12/2015 22:30, Paul Wouters
      wrote:<br>
    </div>
    <blockquote
      cite="mid:alpine.LFD.2.20.1512211729330.15737@bofh.nohats.ca"
      type="cite">
      <br>
      On Mon, 21 Dec 2015, Nick Howitt wrote:
      <br>
      <br>
      <blockquote type="cite">I've just upgraded to 3.16 and I thought
        I'd have a go at IKEv2 on a road warrior but I'm stuck with the
        <br>
        NSS/certificates bit. I'm trying to use information gleaned from
        the Wiki, and use certificates already
        <br>
      </blockquote>
      <br>
      Note I updated that page recently to add the sql: prefix to all
      nss
      <br>
      commands using -d.
      <br>
    </blockquote>
    Hmm. It is not what I'm seeing. No references to sql: on the page
    (<a class="moz-txt-link-freetext" href="https://libreswan.org/wiki/Using_NSS_with_libreswan">https://libreswan.org/wiki/Using_NSS_with_libreswan</a>)<br>
    <blockquote
      cite="mid:alpine.LFD.2.20.1512211729330.15737@bofh.nohats.ca"
      type="cite">
      <br>
      <blockquote type="cite">generated on the server for the server and
        for OpenVPN. I deleted the old *.db and pkcs11.txt files in
        <br>
        /etc/ipsec.d then did the following:
        <br>
              [root@server ipsec.d]# ipsec initnss
        <br>
              Initializing NSS database
        <br>
        <br>
              [root@server ipsec.d]# certutil -L -d /etc/ipsec.d
        <br>
              certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
        certificate/key database is in an
        <br>
              old, unsupported format.
        <br>
      </blockquote>
      <br>
      So that should be: certutil -L -d sql:/etc/ipsec.d
      <br>
    </blockquote>
    That works, thanks.<br>
    <blockquote
      cite="mid:alpine.LFD.2.20.1512211729330.15737@bofh.nohats.ca"
      type="cite">
      <br>
      <blockquote type="cite">      [root@server ipsec.d]# ipsec import
        /etc/pki/CA/server.p12
        <br>
              Enter password for PKCS12 file:
        <br>
              pk12util: no nickname for cert in PKCS12 file.
        <br>
              pk12util: using nickname: server.howitts.lan - ClearOS
        <br>
              pk12util: PKCS12 IMPORT SUCCESSFUL
        <br>
              correcting trust bits for ca.server.howitts.lan - ClearOS
        <br>
              [root@server ipsec.d]# certutil -L -d /etc/ipsec.d
        <br>
              certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
        certificate/key database is in an
        <br>
              old, unsupported format.
        <br>
      </blockquote>
      <br>
      Same here.
      <br>
      <br>
      Paul
      <br>
    </blockquote>
    Nick<br>
    <br>
  </body>
</html>