[Openswan Users] Problem: certutil: unable to decode trust string ....

Jobst Schmalenbach jobst at barrett.com.au
Fri Dec 24 10:25:39 EST 2010


Replying to myself as I found the problem.

I copied the info straight from a manual, hoping not to make a typing error.
Little did I know there is a typing error in the manual ...... 

BUT also a misleading error message:

  unable to decode trust string: Peer's Certificate has expired.

I changed this

  certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d

to this

  certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d

and everything worked, in fact the bits making up this email
have been through that tunnel

Jobst




On Fri, Dec 24, 2010 at 07:02:17PM +1100, Jobst Schmalenbach (jobst at barrett.com.au) wrote:
> Hi.
> 
> Machines are CentOS 5.4, I want NET-to-NET setup, this is what I did:
> on both machines:
> 
>  certutil -N -d /etc/ipsec.d
> 
> then one machine 1:
> 
>   certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d /etc/ipsec.d
>   pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
>   scp cacert1.p12 machine2:/tmp
> 
> then one machine 2:
> 
>   cd /etc/ipsec.d
>   mv /tmp/cacert1.p12 .
>   pk12util -i cacert1.p12 -d /etc/ipsec.d 
> 
>   certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
> 
> ERROR:
> 
>   certutil: unable to decode trust string: Peer's Certificate has expired.
> 
> 
> I understand the I need to create a new certificate, but where?
> Which one does NNS  use?
> Do I use openssl?
> Can I use a REAL one from Apache?
> 
> 
> Jobst
> 
> 
> 
> -- 
> * help! I've fallen over and I can't SIGHUP!
> 
>   | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
>   | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
>   |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 
Computers are like air conditioners, they stop working properly if you open Windows!

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia


More information about the Users mailing list