[Openswan Users] Re: MacOSX 10.4.2: same problems woth NAT-T

Paul Wouters paul at xelerance.com
Thu Jul 14 00:33:45 CEST 2005

On Wed, 13 Jul 2005, Alan Whinery wrote:

> I've been playing with this off and on over the last month. One slight, 
> discouraging revelation was that if you enable the root account and log into 
> the gui as root (if  I remember correctly), then you can import the X.509 
> certificate with the Apple keyring app, then the CA cert (I am using a local 
> CA), which gets you past the initial "no machine certificate" stuff.

Can you give me more details information on this? I had heard similar 
reports, and have attempted:

Open the Terminal.app located in the Utilities folder. Copy the System's X509Anchors database to your local Keychains directory by executing the following command:
 		cp /System/Library/Keychains/X509Anchors ~/Library/Keychains
Run the certtool and import the cacert.pem file using:
 		certtool i ~/caCert.pem k=X509Anchors
Move your local X509Anchors file back to the System's Keychains folder:
 		sudo mv ~/Library/Keychains/X509Anchors /System/Library/Keychains/X509Anchors
Note that in theory, you should be able to do the following command as well:
 	sudo certtool i ca.crt v k=/System/Library/Keychains/x509Anchors
In practice, the certificate will be imported, but it will not show up as valid.

Alternatively, I have tried to start KeyChainAccess, and in the lower left, click
show all keychians, and then added all the system keychains, and tried to import
in those directly.

All of these methods gave me no Machine Certificate I could use.

If anyone has a method that works, PLEASE contact me and tell me exactly how you
managed this.


> The milestone (stumbling block?) I'm currently sitting on on the Mac 10.4.2 
> side is:
> Jun 14 09:21:56 bender pluto[1744]: "roadwarrior-l2tp"[380] 
> #1287: ignoring informational payload, type INVALID_CERTIFICATE
> Wherein the mac appears to be complaining about the server's certificate. 
> None of the many Windows clients complain about that certificate -- Macs are 
> too whiny.
> I'm doing a talk on this next week in Vancouver, I'm kind of giving up on 
> getting rid of the word "probably" from the Mac slide...
> Alan
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


   "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list