[strongSwan] help with transferring private key to ikey3000 -opensc-0.11.11
luxInteg
lux-integ at btconnect.com
Thu Aug 18 16:56:50 CEST 2011
On Thursday 18 August 2011 09:15:14 luxInteg wrote:
> Greetings,
>
> I have a system with these:
> cpu -->-intel-P4 ;
> os:--> cblfs linux kernel-2.6.37.6
> openct-0.6.18;
> opensc-0.11.11
>
> I am attempting to use pkcs15-init to transfer a private key from a
> 'security-authority'//computer to a smart card. The latter is the
> rainbow-ikey3000. it is to be used on a internet gateway computer with
> strongswan. I followed the instructions I found here:-
> http://www.strongswan.org/docs/readme.htm#section_8.5
>
> step1 : OK
> pkcs15-init --erase-card --create-pkcs15
>
> step2 -OK
> pkcs15-init --auth-id 1 --store-pin --pin "12345678"
> --puk "87654321" --label "my PIN"
>
> step3 -failed
> pkcs15-init --auth-id 1 --store-private-key mykey.pem
> [--id 45]
> I obtain the following error:-
>
> ##################
> [pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No
> readers found
> Using reader with a card: Rainbow iKey 3000
> error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
> error:0906A065:PEM routines:PEM_do_header:bad decrypt
> error: Unable to read private key from mykey.pem
>
> Aborting.
> #######
>
> I have two passphrases I used whan I gnerated the key; the passhrase for
> the certificate mycert.pem and the passphrase for the CA when I signed it.
> I tried either of these passphrases without success.
>
> I get the same response no mater what I put as passphrase
>
> Help would be appreciated
>
> yours sincerely
> lux-integ
>
I had some help from the opensc folks they suggested generating the key with
the -node switch (i.e. making a passwordless unencripted key) -presumedely
like so
openssl req -newkey rsa:1024 -node -keyout hostKey.pem
-out hostReq.pem
( http://www.strongswan.org/docs/readme.htm#section_3.2 )
I would be grateful if someone on list could comment on the security
implications of a private key for a gateway that is unencrypted?
yours sincerely
lux-integ
More information about the Users
mailing list