[Openswan Users] README.nss

Michael H. Warfield mhw at WittsEnd.com
Mon Jan 24 09:48:05 EST 2011

On Mon, 2011-01-24 at 09:21 -0500, Michael H. Warfield wrote: 
> On Mon, 2011-01-24 at 07:06 -0700, Willie Gillespie wrote: 
> > On 01/23/2011 04:50 PM, Michael H. Warfield wrote:
> > > Philosophical thoughts on README.nss, though.  As a cryptographer, I am
> > > morally offending by some of the things in there.  It says to export the
> > > CA keypair to a pkcs12 .p12 file and import them onto other machines.
> > > Private keys should only exist on the machines to which they belong.
> > > That's fundamental.  I can not possibly overstress that concept.  Using
> > > pkcs12 requires including the private key (someone please correct me if
> > > I'm wrong on this with pointers to the correct openssl syntax to do it).
> > 
> > I haven't tried it, but is it possible with the -nokeys option of pkcs12?

> That's a very good question too and might be an alternate method.  I'll
> check that out.  Thanks!

Well...  It certainly acted like it should have when I tried one for
"Gorgon10".  It created a .p12 file that pk12util accepted and said
"PKCS12 IMPORT SUCCESSFUL" but a subsequent listing of the database
didn't show it under the nic name that was specified.

Didn't seem to show up at all under any name but I've got a strange
entry there that says "postmaster at wittsend.com" that I don't recall
entering and it won't delete under that name (delete says not found).

When I try now to delete a "Gorgon10" entry (thinking the database
listing is wrong), I get this error:

certutil -D -n Gorgon10 -d /etc/ipsec.d/
certutil: could not find certificate named "Gorgon10": security library:
bad database.

So, no error but it didn't seem to work and may have left the database
in a bad condition.  I'll try and reproduce.  I may have been trying too
many experiments with this database.

> Regards,
> Mike

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110124/e0e724c8/attachment.bin 

More information about the Users mailing list