[Openswan Users] How do I import an existing *.secrets file into anNSS database?

Greg Scott GregScott at Infrasupport.com
Thu Feb 10 14:39:21 EST 2011 

Sigh . . .

Yeah, that's kind of what I was afraid of.  For now, I need to get this one site upgraded before the hardware breaks so I guess I'll build a non NSS flavor of ipsec and then I'll look into doing everything with real self signed certificates for the future.  

Yup, this does suck.  I have several customers with tunnels and ipsec implementations of varying ages and will need to handle any number of combinations of versions.  It's going to be a hassle.

- Greg



-----Original Message-----
From: Michael H. Warfield [mailto:mhw at WittsEnd.com] 
Sent: Thursday, February 10, 2011 12:06 PM
To: Greg Scott
Cc: mhw at WittsEnd.com; users at openswan.org
Subject: Re: [Openswan Users] How do I import an existing *.secrets file into anNSS database?

On Thu, 2011-02-10 at 10:56 -0600, Greg Scott wrote:
> This is making me nuts! I studied the script Mike Warfield put 
> together and I've gone over and over and over README.nss. And I'm 
> totally lost. It looks like Mike's script manipulates PKI stuff. And 
> tinkering with the pk12util program that README.nss mentions, it looks 
> like it wants a file formatted a certain way and ipsec.secrets doesn't 
> work. So it's not like I can just issue some commands and import 
> ipsec.secrets into an NSS database. The process is evidently more 
> complex. Or non-existent.

The pk12util program is only going to be useful if you have files in
pkcs12 format, which this is not.  There doesn't seem to be any other way to import purely a private key without some sort of cert associated with it.  You can probably create a selfsigned cert using openssl if you can import that private key into Openssl and then, from it, generate a cert and then self sign it.  Then you can export that into a .pkcs12 file pk12util will accept.

Your challenge is to import that private key into OpenSSL for starters.

This page might help.  It describes concerting keys between several formats, including GPG and SSH.

http://kerneltrap.org/node/64803

It's not going to be easy to convert a raw unadorned RSA key into something you can stuff into pkcs12.  I gave up on using RSA keys like that years ago and went the PKI route and never looked back.  Think of it as merely a portable container for keys.

Regards,
Mike

> In the pre NSS days, I could do this:
> 
>  
> 
> ipsec newhostkey with a bunch of parameters. This would generate a 
> clear text ASCII file with default name /etc/ipsec.secrets. Since I'm 
> using a Red Hat Fedora distro, I would append -output 
> /etc/ipsec.d/ipsec.secrets and viola - I would have a file with what I 
> needed in a directory that gets along with the Fedora distro. 
> Wonderful. And portable - if a box breaks or to upgrade to a new 
> version, I could quickly build up a new one, copy ipsec.secrets and 
> other files where they belong, and get back up and running.
> 
>  
> 
> But now we have this NSS database and somehow, the world is different.  Quoting from README.nss:
> 
>  
> 
> Ø  Public key information in ipsec.secrets is stored in the same way as before.
> 
> Ø  However, all the fields of the Private key information contain just 
> a similar
> 
> Ø  ID. This ID is called CKA ID, which is used to locate private keys 
> inside NSS
> 
> Ø  database during the IKE negotiation.
> 
>  
> 
> OK - so this seems to mean that the new ipsec.secrets is different than the old ipsec.secrets.  The new ipsec.secrets has an ID that points to a private key inside an NSS database.  And the Fedora flavor of Openswan expects the NSS database to be in /etc/ipsec.d.  OK, I can live with that.  
> 
>  
> 
> But I have an old ipsec.secrets file on an old Fedora box.  I don't have any certificates or certificate authorities or PKI infrastructure that I know of.  Just a bunch of ipsec.secrets files on each node.   Each node knows its own private key and the private key of its partner.  I want to replace this old box with a new box using the new version of ipsec and preserve the information in the old ipsec.secrets.  
> 
>  
> 
> Understanding the risks of doing it this way with PSKs - if one box is compromised, the badguys have all the keys to the whole VPN infrastructure - there's gotta be some way to use the old ipsec.secrets to create a new ipsec.secrets and NSS database.  And near as I can tell, README.nss is completely silent on this.  Or else it's staring me in the face and I don't get it.  
> 
>  
> 
> Thanks
> 
>  
> 
> -          Greg
> 
>  
> 
> 
> 
> 
> 
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] 
> On Behalf Of Greg Scott
> Sent: Wednesday, February 09, 2011 4:39 PM
> To: users at openswan.org
> Subject: [Openswan Users] How do I import an existing *.secrets file into anNSS database?
> 
>  
> 
> This should be easy but I sure haven't figured out how to do it - I have a tunnel with an existing config, about 3 or so years old, that I want to upgrade to the newest version.  This site uses a hostkey.secrets file with its own private key.  The tunnels use pre shared keys - no certificates - and this branch site is old enough that it predates all the NSS stuff.  But now I need to upgrade it and I would prefer to keep using the private key I already have in place.  
> 
>  
> 
> So now we have this NSS database that's supposed to hold all the crypto stuff and the latest versions of IPSEC look there instead of the raw files we used to use.  
> 
>  
> 
> I know how to build a new, empty NSS database and put it in /etc/ipsec.d like this:
> 
>  
> 
> certutil -N -d /etc/ipsec.d
> 
>  
> 
> I know how to generate a new private key and populate my new NSS database:
> 
>  
> 
> ipsec newhostkey --configdir /etc/ipsec.d \
> 
>                 --output /etc/ipsec.d/hostkey.secrets \
> 
>                 --verbose \
> 
>                 --hostname myhost
> 
>  
> 
> But what if I already have a private key named hostkey.secrets and I want to keep using it?  How do I import an existing hostkey.secrets file into an NSS database?
> 
>  
> 
> Thanks
> 
>  
> 
> -          Greg Scott
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: 
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55

--
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

More information about the Users mailing list