[Openswan Users] README.nss

Michael H. Warfield mhw at WittsEnd.com
Mon Jan 24 10:51:50 EST 2011

On Mon, 2011-01-24 at 09:48 -0500, Michael H. Warfield wrote: 
> On Mon, 2011-01-24 at 09:21 -0500, Michael H. Warfield wrote: 
> > On Mon, 2011-01-24 at 07:06 -0700, Willie Gillespie wrote: 
> > > On 01/23/2011 04:50 PM, Michael H. Warfield wrote:
> > > > Philosophical thoughts on README.nss, though.  As a cryptographer, I am
> > > > morally offending by some of the things in there.  It says to export the
> > > > CA keypair to a pkcs12 .p12 file and import them onto other machines.
> > > > Private keys should only exist on the machines to which they belong.
> > > > That's fundamental.  I can not possibly overstress that concept.  Using
> > > > pkcs12 requires including the private key (someone please correct me if
> > > > I'm wrong on this with pointers to the correct openssl syntax to do it).
> > > 
> > > I haven't tried it, but is it possible with the -nokeys option of pkcs12?
> > That's a very good question too and might be an alternate method.  I'll
> > check that out.  Thanks!
> Well...  It certainly acted like it should have when I tried one for
> "Gorgon10".  It created a .p12 file that pk12util accepted and said
> "PKCS12 IMPORT SUCCESSFUL" but a subsequent listing of the database
> didn't show it under the nic name that was specified.
> Didn't seem to show up at all under any name but I've got a strange
> entry there that says "postmaster at wittsend.com" that I don't recall
> entering and it won't delete under that name (delete says not found).
> When I try now to delete a "Gorgon10" entry (thinking the database
> listing is wrong), I get this error:
> certutil -D -n Gorgon10 -d /etc/ipsec.d/
> certutil: could not find certificate named "Gorgon10": security library:
> bad database.

> So, no error but it didn't seem to work and may have left the database
> in a bad condition.  I'll try and reproduce.  I may have been trying too
> many experiments with this database.

Oh, yeah.  No.  I can reproduce this.  Do NOT use that -nokeys option.
It doesn't seem to work right and you end up with something in the
database that you may not want.

What I did was create a .p12 file with openssl from a cert with no
private key and specified a nic name of Gorgon10.  Then used pk12util to
import it.  Gorgon10 is not on the list when I run certutil -L on the
database but a new entry with the E-Mail address from the cert is.  I
can't seem to delete that, but, after the first time when I get no
errors, I now get errors about "bad database" and I seem to be missing
some other entries.  So, it did not do the right thing and it seems to
be corrupting the NSS database.

Actually, it seems to be the 'certutil -D -n postmaster at wittsend.com'
that's causing the corruption (most of the 2 dozen certs in that
database have that as the E-Mail address).  It seems to delete the wrong
cert (one less on the list) and after that the database is corrupt.  I
tested that out without even adding the Gorgon10 cert just by doing the
delete (even though there wasn't anything listed with that name).  It
seem to work and there was one less cert on the list and after that I
got the security library warning about a bad database.

Nice idea but I think I would avoid that option for now.

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20110124/ae3dd828/attachment.bin 

More information about the Users mailing list