[Openswan Users] Export a NSS based certificate to cacert??

webserv at s3group.com webserv at s3group.com
Sat Dec 19 12:31:39 EST 2009


Well,

I do not think you can use CA directly this way.
You need actually 2 certificates present:
1. Certification authority (CA) - to be injected by the -t 'C,C,C' parameter
2. Peers certificate & private key (generated to the p12 file by the
server) - to be included with the -t 'p,p,p' parameter

Ondrej
>
> I am probably missing a few links/knowledge here, so please exuse that.
>
> I am having real problems with getting a CENTOS 5.4 to work with a Fedora
> machine.
> This is what I see in the log:
>
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9:
> responding to Main Mode
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9:
> STATE_MAIN_R1: sent MR1, expecting MI2
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9:
> STATE_MAIN_R2: sent MR2, expecting MI3
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: Main mode
> peer ID is ID_DER_ASN1_DN: 'CN=usercert1'
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: issuer
> cacert not found
>   Dec 19 17:31:39 c122-107-219-215 pluto[32066]: "pluto-1-2" #9: X.509
> certificate rejected
>
>
> I followed the instructions as given in the README.nss, but the fedora
> server does not like nss
> So I thought I use the Centos with NSS and the Fedora machine the old
> fashion way.
>
> The are talking to each other but the CERT from the CENTOS box is not
> found.
>
> So on the CENTOS box I did:
>
>  certutil -N -d /etc/ipsec.d
>  certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -t "C,C,C" -x -d
> /etc/ipsec.d/
>  pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d/
>  scp cacert1.p12 122.107.219.215:/tmp
>
> The on the FEDORA box I did
>
>   pk12util -i cacert1.p12 -d /etc/ipsec.d
>   certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
>   certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d
>   certutil -S -k rsa -c cacert1 -n usercert2 -s "CN=usercert2" -v 12 -t
> "u,u,u" -d /etc/ipsec.d
>
> but that doesnt work, so I guess I have to export the nss based cert to
> get
> an "issuer cacert", but that I dont know how to do.
>
>
> Help PLEASE!!!!
>
> I have been having a go at this for a while and its starting using up my
> patience.
>
>
> Jobst
>
>
>
>
> --
> while ( !sorted ) { do_nothing ( ) ; }
>
>   | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
>   | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
>   |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18


More information about the Users mailing list