/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
east #
 # Generate three CA+cert pairs.
east #
 #
east #
 # new-ca+new-cert: a sane CA and a sane peer certificate, back-dated
east #
 # by two months (-v12 -w -1).
east #
 #
east #
 # old-ca+old-west: generate a CA that expired 1 month ago (-v 12 -w
east #
 # -13).  Use that to sign a certificate (for west) that is valid.
east #
 #
east #
 # hog-ca+hog=west: same; CA expired 1 month ago (-v 12 -w -13).  Use
east #
 # that to sign a certificate (for west) that is valid.
east #
 ipsec certutil -m 1 -S -k rsa -x        -w -2 -n new-ca   -s "CN=new-ca"   -v 12 -t "CT,C,C" -z ipsec.conf
Generating key.  This may take a few moments...
east #
 ipsec certutil -m 2 -S -k rsa -c new-ca       -n new-west -s "CN=new-west" -v 12 -t "u,u,u"  -z ipsec.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 ipsec certutil -m 1 -S -k rsa -x -w -13 -v 12 -n old-ca  -s "CN=old-ca"  -v 12 -t "CT,C,C" -z ipsec.conf
Generating key.  This may take a few moments...
east #
 ipsec certutil -m 2 -S -k rsa -c old-ca -w -11 -n old-west -s "CN=old-west" -v 12 -t "u,u,u"  -z ipsec.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 ipsec certutil -m 1 -S -k rsa -x -w -13 -v 12 -n hog-ca  -s "CN=hog-ca"  -v 12 -t "CT,C,C" -z ipsec.conf
Generating key.  This may take a few moments...
east #
 ipsec certutil -m 2 -S -k rsa -c hog-ca -w -11 -n hog-west -s "CN=hog-west" -v 12 -t "u,u,u"  -z ipsec.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 # Export the generated certificates and then delete them.  This forces
east #
 # west to send the cert as part of IKE_AUTH.
east #
 ipsec pk12util -W secret -o OUTPUT/hog-west.p12   -n hog-west
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec pk12util -W secret -o OUTPUT/new-west.p12   -n new-west
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec pk12util -W secret -o OUTPUT/old-west.p12   -n old-west
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec certutil -L -n hog-west -a > OUTPUT/hog-west.crt
east #
 ipsec certutil -L -n new-west -a > OUTPUT/new-west.crt
east #
 ipsec certutil -L -n old-west -a > OUTPUT/old-west.crt
east #
 ipsec certutil -F -n hog-west
east #
 ipsec certutil -F -n new-west
east #
 ipsec certutil -F -n old-west
east #
 # ipsec vfychain to confirm the above settings
east #
 #
east #
 # -p -p engages the new PKIX interface that pluto is using.
east #
 #
east #
 # -u 12 -> 1<<12 is #define certificateUsageIPsec (0x1000)
east #
 #
east #
 # -b YYMMDDHHMMZ (yea, CC is magic)
east #
 NOW=$(date +%s)
east #
 THEN=$((${NOW} - 45 * 24 * 60 * 60))
east #
 VFYDATE=$(date -d @${THEN} +%y%m%d000000Z)
east #
 ipsec vfychain -v -u 12 -p -p -a OUTPUT/new-west.crt
Chain is good!
Root Certificate Subject:: "CN=new-ca"
Certificate 1 Subject: "CN=new-west"
east #
 ipsec vfychain -v -u 12 -p -p -b ${VFYDATE} -a OUTPUT/new-west.crt
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=new-west :
  ERROR -8181: Peer's Certificate has expired.
east #
 ! ipsec vfychain -v -u 12 -p -p -a OUTPUT/old-west.crt
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=old-west :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=old-ca
east #
 ipsec vfychain -v -u 12 -p -p -b ${VFYDATE} -a OUTPUT/old-west.crt
Chain is good!
Root Certificate Subject:: "CN=old-ca"
Certificate 1 Subject: "CN=old-west"
east #
 ! ipsec vfychain -v -u 12 -p -p -a OUTPUT/hog-west.crt
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=hog-west :
  ERROR -8179: Peer's Certificate issuer is not recognized.
    CN=hog-ca
east #
 ipsec vfychain -v -u 12 -p -p -b ${VFYDATE} -a OUTPUT/hog-west.crt
Chain is good!
Root Certificate Subject:: "CN=hog-ca"
Certificate 1 Subject: "CN=hog-west"
east #
 # Import the cert
east #
 ipsec pk12util -i OUTPUT/east.p12 -W secret
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec auto --add new-ca
"new-ca": added IKEv2 connection
east #
 ipsec auto --add old-ca
"old-ca": added IKEv2 connection
east #
 ipsec auto --add hog-ca
"hog-ca": WARNING: left is a groundhog
"hog-ca": added IKEv2 connection
east #
