[Openswan Users] Problem: certutil: unable to decode trust string ....
jobst at barrett.com.au
Fri Dec 24 10:25:39 EST 2010
Replying to myself as I found the problem.
I copied the info straight from a manual, hoping not to make a typing error.
Little did I know there is a typing error in the manual ......
BUT also a misleading error message:
unable to decode trust string: Peer's Certificate has expired.
I changed this
certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
certutil -M -n cacert1 -t "C,C,C" -d /etc/ipsec.d
and everything worked, in fact the bits making up this email
have been through that tunnel
On Fri, Dec 24, 2010 at 07:02:17PM +1100, Jobst Schmalenbach (jobst at barrett.com.au) wrote:
> Machines are CentOS 5.4, I want NET-to-NET setup, this is what I did:
> on both machines:
> certutil -N -d /etc/ipsec.d
> then one machine 1:
> certutil -S -k rsa -n cacert1 -s "CN=cacert1" -v 12 -d . -t "C,C,C" -x -d /etc/ipsec.d
> pk12util -o cacert1.p12 -n cacert1 -d /etc/ipsec.d
> scp cacert1.p12 machine2:/tmp
> then one machine 2:
> cd /etc/ipsec.d
> mv /tmp/cacert1.p12 .
> pk12util -i cacert1.p12 -d /etc/ipsec.d
> certutil -M -n cacert1 -t "C, C, C" -d /etc/ipsec.d
> certutil: unable to decode trust string: Peer's Certificate has expired.
> I understand the I need to create a new certificate, but where?
> Which one does NNS use?
> Do I use openssl?
> Can I use a REAL one from Apache?
> * help! I've fallen over and I can't SIGHUP!
> | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager
> | | |0| Barrett Consulting Group P/L & The Meditation Room P/L
> |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
> Users at openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
Computers are like air conditioners, they stop working properly if you open Windows!
| |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager
| | |0| Barrett Consulting Group P/L & The Meditation Room P/L
|0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
More information about the Users