[Openswan Users] Problem: certutil: unable to decode trust string ....

Jobst Schmalenbach jobst at barrett.com.au
Fri Dec 24 03:02:17 EST 2010


Machines are CentOS 5.4, I want NET-to-NET setup, this is what I did:
on both machines:

 certutil -N -d /etc/ipsec.d

then one machine 1:

  certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d /etc/ipsec.d
  pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
  scp cacert1.p12 machine2:/tmp

then one machine 2:

  cd /etc/ipsec.d
  mv /tmp/cacert1.p12 .
  pk12util -i cacert1.p12 -d /etc/ipsec.d 

  certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d


  certutil: unable to decode trust string: Peer's Certificate has expired.

I understand the I need to create a new certificate, but where?
Which one does NNS  use?
Do I use openssl?
Can I use a REAL one from Apache?


* help! I've fallen over and I can't SIGHUP!

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

More information about the Users mailing list