[Openswan Users] Migrating RSA keys to the NSS database

Greg Scott GregScott at Infrasupport.com
Mon Jul 19 19:25:23 EDT 2010

As long as I'm ranting and raving, I may as well bring up the NSS
database.  I've been reading up on why the migration from the .secrets
file to an NSS database.   If I'm following, the US Government has a
standard called FIPS (Federal Information Processing Standard?) that
says no crypto keys should be in clear text.   Red Hat wants to be FIPS
compliant, so to make Red Hat happy, this means Openswan needs to store
RSA keys in a database instead of the clear text ipsec.secrets or
hostkey.secrets file.  


So I think I get the rationale and it makes sense.  


The rub is, with lots of tunnels and lots of existing RSA keys out
there, I don't know of an easy way to migrate those .secrets files into
an NSS database.  So if I replace an IPSEC router at any site - this
means I need to set up new keys for all sites that talk to the site in
question, because I don't have a way to preserve the old key at that


Is it feasible to put together an import/export tool that  would import
the contents of a *.secrets file into an NSS database, or extract a key
from an NSS database and put it in a *.secrets file?




-          Greg


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100719/3e1c9bf9/attachment.html 

More information about the Users mailing list