[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Thu Jul 9 17:37:26 EDT 2009

> You need. Once you create the keys in NSS database, you have 
> public key in ipsec.secrets. file. After that the proedure is 
> exactly same as it is without NSS.


So why do I see this error

>> Jul  8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't 
>> find the private key from the NSS CERT (err -12285) 

using the new version with NSS but the old version - with **identical**
conn descriptions works?  (Identical except that tne new right side conn
description has tne new NSS hostkey while the old conn description has
the old right side host key.)

Well - maybe a thought - After we went after this all day yesterday,
these are the commands I used to generate my new right side host hey.  I
will put "#" in front of each command in case the email butchers the

	# cd /etc/ipsec.d
	# rm -R -f nssdb
	# mkdir nssdb
	# prelink -u -a
	# certutil -N -d sql:/etc/ipsec.d/nssdb
	# modutil -fips true  -dbdir sql:/etc/ipsec.d/nssdb
	# ipsec newhostkey --random /dev/urandom --configdir
/etc/ipsec.d/nssdb --password mypassword1 --output

I put my NSS database in /etc/ipsec.d/nssdb but your suggested commands
generated the NSS database in /etc/ipsec.d.  

I noticed after generating my hostkey that three NSS database files were
also created in /etc/ipsec.d, even though I told it the configdir was
./nssdb.  Is something hard-coded such that the NSS database must live
there?  Or maybe the NSS database *must* live in the same directory as
the hostkey.secrets file?  If so, then my error above was probably
because ipsec was looking in the wrong NSS database.  

- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090709/2e353bda/attachment-0001.html 

More information about the Users mailing list