[Openswan Users] Export a NSS based certificate to cacert??

Jobst Schmalenbach jobst at barrett.com.au
Sat Dec 19 01:39:21 EST 2009 

I am probably missing a few links/knowledge here, so please exuse that.

I am having real problems with getting a CENTOS 5.4 to work with a Fedora machine.
This is what I see in the log:

  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: responding to Main Mode
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: STATE_MAIN_R1: sent MR1, expecting MI2
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: STATE_MAIN_R2: sent MR2, expecting MI3
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: Main mode peer ID is ID_DER_ASN1_DN: 'CN=usercert1'
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: issuer cacert not found
  Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: X.509 certificate rejected


I followed the instructions as given in the README.nss, but the fedora server does not like nss
So I thought I use the Centos with NSS and the Fedora machine the old fashion way.

The are talking to each other but the CERT from the CENTOS box is not found.

So on the CENTOS box I did:

 certutil -N -d /etc/ipsec.d
 certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -t "C,C,C" -x -d /etc/ipsec.d/
 pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d/
 scp cacert1.p12 122.107.219.215:/tmp

The on the FEDORA box I did

  pk12util -i cacert1.p12 -d /etc/ipsec.d
  certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
  certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d
  certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t "u,u,u" -d /etc/ipsec.d

but that doesnt work, so I guess I have to export the nss based cert to get
an "issuer cacert", but that I dont know how to do.


Help PLEASE!!!!

I have been having a go at this for a while and its starting using up my patience.


Jobst




-- 
while ( !sorted ) { do_nothing ( ) ; }

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

More information about the Users mailing list