ipsec_cert() { ipsec certutil -L ; for n in "$@" ; do printf "*\n*\n* ${n}\n*\n*\n" ; set ipsec certutil -L -n ${n} ; echo " $@" ; "$@" ; done ; }
west #
 /testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west.p12
 ipsec pk12util -w nss-pw -i real/mainca/west.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n west
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "west" [E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 /testing/x509/import.sh real/mainca/nic.p12
 ipsec pk12util -w nss-pw -i real/mainca/nic.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n nic
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "nic" [E=user-nic@testing.libreswan.org,CN=nic.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec_cert mainca west nic
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west                                                         u,u,u
mainca                                                       CT,, 
nic                                                          u,u,u
*
*
* mainca
*
*
 ipsec certutil -L -n mainca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=T
            est Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=
            Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
        Object Signing Flags:
*
*
* west
*
*
 ipsec certutil -L -n west
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=T
            est Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=user-west@testing.libreswan.org,CN=west.testing.libreswan
            .org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west.testing.libreswan.org"
            RFC822 Name: "west@testing.libreswan.org"
            IP Address: 192.1.2.45
            IP Address: 2001:db8:1:2::45
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Key Usage
            Usages: Digital Signature
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
*
*
* nic
*
*
 ipsec certutil -L -n nic
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=T
            est Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=user-nic@testing.libreswan.org,CN=nic.testing.libreswan.o
            rg,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "nic.testing.libreswan.org"
            RFC822 Name: "nic@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Extended Key Usage
                OCSP Responder Certificate
            Name: Certificate Key Usage
            Usages: Digital Signature
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
west #
 /testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh otherca/otherwest.p12
 ipsec pk12util -w nss-pw -i otherca/otherwest.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n otherca -t CT,,
 ipsec certutil -O -n otherwest
"otherca" [E=testing@libreswan.org,CN=Libreswan test CA for otherca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "otherwest" [E=user-otherwest@testing.libreswan.org,CN=otherwest.other.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec_cert otherca otherwest
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
otherwest                                                    u,u,u
otherca                                                      CT,, 
*
*
* otherca
*
*
 ipsec certutil -L -n otherca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for otherca,OU=
            Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=testing@libreswan.org,CN=Libreswan test CA for otherca,OU
            =Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
        Object Signing Flags:
*
*
* otherwest
*
*
 ipsec certutil -L -n otherwest
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for otherca,OU=
            Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=user-otherwest@testing.libreswan.org,CN=otherwest.other.l
            ibreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,
            C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "otherwest.other.libreswan.org"
            RFC822 Name: "otherwest@other.libreswan.org"
            IP Address: 192.1.2.45
            IP Address: 2001:db8:1:2::45
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Key Usage
            Usages: Digital Signature
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
west #
 /testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west_chain_int_1.end.cert
 ipsec certutil -A -n west_chain_int_1 -t P,, -i real/mainca/west_chain_int_1.end.cert
 ipsec certutil -O -n west_chain_int_1
"west_chain_int_1" [E=west_chain_int_1@testing.libreswan.org,CN=west_chain_int_1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec_cert west_chain_int_1
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west_chain_int_1                                             P,,  
*
*
* west_chain_int_1
*
*
 ipsec certutil -L -n west_chain_int_1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=T
            est Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=west_chain_int_1@testing.libreswan.org,CN=west_chain_int_
            1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,
            ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west_chain_int_1.testing.libreswan.org"
            RFC822 Name: "west_chain_int_1@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
            Name: Certificate Key Usage
            Critical: True
            Usages: Certificate Signing
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Terminal Record
            Trusted
        Email Flags:
        Object Signing Flags:
west #
 /testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west_chain_int_2.end.cert
 ipsec certutil -A -n west_chain_int_2 -t P,, -i real/mainca/west_chain_int_2.end.cert
 ipsec certutil -O -n west_chain_int_2
"west_chain_int_2" [E=west_chain_int_2@testing.libreswan.org,CN=west_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec_cert west_chain_int_2
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west_chain_int_2                                             P,,  
*
*
* west_chain_int_2
*
*
 ipsec certutil -L -n west_chain_int_2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=west_chain_int_1@testing.libreswan.org,CN=west_chain_int_1
            .testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,S
            T=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=west_chain_int_2@testing.libreswan.org,CN=west_chain_int_
            2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,
            ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west_chain_int_2.testing.libreswan.org"
            RFC822 Name: "west_chain_int_2@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
            Name: Certificate Key Usage
            Critical: True
            Usages: Certificate Signing
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            Terminal Record
            Trusted
        Email Flags:
        Object Signing Flags:
west #
 /testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west_chain_endcert.p12
 ipsec pk12util -w nss-pw -i real/mainca/west_chain_endcert.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n west_chain_endcert
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "west_chain_int_1" [E=west_chain_int_1@testing.libreswan.org,CN=west_chain_int_1.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
    "west_chain_int_2" [E=west_chain_int_2@testing.libreswan.org,CN=west_chain_int_2.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
      "west_chain_endcert" [E=west_chain_endcert@testing.libreswan.org,CN=west_chain_endcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 ipsec_cert west_chain_endcert
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west_chain_endcert                                           u,u,u
west_chain_int_2                                             ,,   
west_chain_int_1                                             ,,   
mainca                                                       CT,, 
*
*
* west_chain_endcert
*
*
 ipsec certutil -L -n west_chain_endcert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "E=west_chain_int_2@testing.libreswan.org,CN=west_chain_int_2
            .testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,S
            T=Ontario,C=CA"
        Validity:
            Not Before: TIMESTAMP
            Not After : TIMESTAMP
        Subject: "E=west_chain_endcert@testing.libreswan.org,CN=west_chain_en
            dcert.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toro
            nto,ST=Ontario,C=CA"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "west_chain_endcert.testing.libreswan.org"
            RFC822 Name: "west_chain_endcert@testing.libreswan.org"
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://nic.testing.libreswan.org:2560"
            Name: CRL Distribution Points
            Distribution point:
                URI: "http://nic.testing.libreswan.org/revoked.crl"
            Name: Certificate Key Usage
            Usages: Digital Signature
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
    Fingerprint (SHA-256):
    Fingerprint (SHA1):
    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User
west #
