[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

[Avesh Agarwal]

Greg Scott wrote:
> OK,thanks. 
>
>   
>> You need to first create a NSS db as follows
>>
>> certutil -N -d sql:/etc/ipsec.d
>>     
>
> Looking at the help text on an older f10 box to see what certutil -H
> does...
> .
> .
> .
> -N              Create a new certificate database
>    -d certdir        Cert database directory (default is ~/.netscape)
>    -P dbprefix       Cert & Key database prefix
> .
> .
> .
>   
> So I think the command above creates a new certificate database in
> /etc/ipsec.d. What is the sql: piece for?  
>
>   
"sql:" indicates to NSS to use shared database, which is supported in 
fedora.

> I am guessing the idea behind this is, I could buy a certificate to
> "prove" I am who I claim to be and somehow put it in this database and
> then use it to generate my RSA key.  And therefore my key can be trusted
> - right?  But in this case, I am making a self signed certificate, so I
> am alleging I am who I claim to be.  Am I close to understanding the
> idea behind all this?
>
>   
"certutil -N" creates certificate database, but when you use "ipsec 
newhostkey" with NSS, it creates only raw rsa keys inside NSS database.

Once you create raw rsa keys inside NSS database, there is no other 
change is required in the way raw RSA keys are used.

For creating certs (not self signed), here is an example:

Creating CA cert with name "cacert1":

certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d 
<path-to-ipsec.d dir>/ipsec.d

Creating user cert with name "usercert1" signed by "cacert1":

certutil -S -k rsa -c cacert1 -n usercert1 -s "CN=usercert1" -v 12 -t "u,u,u" 
-d /etc/ipsec.d


So it depends, how you are going to create a certificate.  README.nss 
has details about using things with NSS.

Avesh
> If we can hash this out here, I'll be happy to write something up for
> the community to use.  
>
>   


> - Greg
>