[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure
Greg Scott
GregScott at InfraSupportEtc.com
Thu Jul 9 17:37:26 EDT 2009
> You need. Once you create the keys in NSS database, you have
> public key in ipsec.secrets. file. After that the proedure is
> exactly same as it is without NSS.
Hmmm....
So why do I see this error
>> Jul 8 17:37:33 huge-fw pluto[6200]: "Eagan-Everywhere" #4: Can't
>> find the private key from the NSS CERT (err -12285)
using the new version with NSS but the old version - with **identical**
conn descriptions works? (Identical except that tne new right side conn
description has tne new NSS hostkey while the old conn description has
the old right side host key.)
Well - maybe a thought - After we went after this all day yesterday,
these are the commands I used to generate my new right side host hey. I
will put "#" in front of each command in case the email butchers the
lines.
# cd /etc/ipsec.d
# rm -R -f nssdb
# mkdir nssdb
# prelink -u -a
# certutil -N -d sql:/etc/ipsec.d/nssdb
# modutil -fips true -dbdir sql:/etc/ipsec.d/nssdb
# ipsec newhostkey --random /dev/urandom --configdir
/etc/ipsec.d/nssdb --password mypassword1 --output
/etc/ipsec.d/hostkey.secrets
I put my NSS database in /etc/ipsec.d/nssdb but your suggested commands
generated the NSS database in /etc/ipsec.d.
I noticed after generating my hostkey that three NSS database files were
also created in /etc/ipsec.d, even though I told it the configdir was
./nssdb. Is something hard-coded such that the NSS database must live
there? Or maybe the NSS database *must* live in the same directory as
the hostkey.secrets file? If so, then my error above was probably
because ipsec was looking in the wrong NSS database.
- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090709/2e353bda/attachment-0001.html
More information about the Users
mailing list