[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 14:32:02 EDT 2009

>Before you get 2.6.21-5, try following:
> certutil -N -d sql:/etc/ipsec.d
>modutil -fips true  -dbdir  sql:/etc/ipsec.d
>Then create RSA keys.

No joy:

[root at huge-fw ipsec.d]# certutil -N -d sql:/etc/ipsec.d/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root at huge-fw ipsec.d]# modutil -fips true  -dbdir

WARNING: Performing this operation while the browser is running could
corruption of your security databases. If the browser is currently
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

FIPS mode enabled.
[root at huge-fw ipsec.d]# ipsec newhostkey --configdir /etc/ipsec.d/nssdb
--output /etc/ipsec.d/hostkey.secrets
[root at huge-fw ipsec.d]#

This finished in less than a second, where it took several seconds
before, along with another window doing some activity to generate some
randomness.  So I looked at what it produced:

[root at huge-fw ipsec.d]# more hostkey.secrets
: RSA   {
FIPS integrity verification test failed.
# do not change the indenting of that "}"
[root at huge-fw ipsec.d]#

What in the world does that mean?

- Greg

More information about the Users mailing list