/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
east #
 # Generate a sane CA and a sane peer certificate.
east #
 ipsec certutil -m 1 -S -k rsa -x        -n new-ca   -s "CN=new-ca"   -v 12 -t "CT,C,C" -z ipsec.conf
Generating key.  This may take a few moments...
east #
 ipsec certutil -m 2 -S -k rsa -c new-ca -n new-west -s "CN=new-west" -v 12 -t "u,u,u"  -z ipsec.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 ipsec pk12util -W secret -o OUTPUT/new-west.p12   -n new-west
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec certutil -L -n new-west -a > OUTPUT/new-west.crt
east #
 ipsec certutil -F -n new-west
east #
 # Now generate a CA that expires this month.  Use that to sign a
east #
 # certificate (for west) that has just started to be valid and
east #
 # slightly more recent than above.
east #
 ipsec certutil -m 1 -S -k rsa -x -w -11 -v 12 -n old-ca  -s "CN=old-ca"  -v 12 -t "CT,C,C" -z ipsec.conf
Generating key.  This may take a few moments...
east #
 ipsec certutil -m 2 -S -k rsa -c old-ca       -n old-west -s "CN=old-west" -v 12 -t "u,u,u"  -z ipsec.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 ipsec pk12util -W secret -o OUTPUT/old-west.p12   -n old-west
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec certutil -L -n old-west -a > OUTPUT/old-west.crt
east #
 ipsec certutil -F -n old-west
east #
 ipsec vfychain to confirm the above settings
open of to failed, -5950 = File not found
east #
 #
east #
 # -p -p engages the new PKIX interface that pluto is using.
east #
 #
east #
 # -u 12 -> 1<<12 is #define certificateUsageIPsec (0x1000)
east #
 #
east #
 # -b YYMMDDHHMMZ (yea, CC is magic)
east #
 ipsec vfychain -v -u 12 -p -p -a OUTPUT/new-west.crt
Chain is good!
Root Certificate Subject:: "CN=new-ca"
Certificate 1 Subject: "CN=new-west"
east #
 ipsec vfychain -v -u 12 -p -p -a OUTPUT/old-west.crt
Chain is good!
Root Certificate Subject:: "CN=old-ca"
Certificate 1 Subject: "CN=old-west"
east #
 # Import the cert
east #
 ipsec pk12util -i OUTPUT/east.p12 -W secret
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec auto --add east
"east": added IKEv2 connection
east #
