/testing/guestbin/swan-prep --x509
Preparing X.509 files
east #
 ipsec certutil -D -n west
east #
 ipsec certutil -m 2 -S -k rsa -c east -n west-notyetvalid -s CN=west-notyetvalid -w 1 -v 12 -t u,u,u  -z east.conf
Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
east #
 ipsec pk12util -W secret -o OUTPUT/west-notyetvalid.p12 -n west-notyetvalid
pk12util: PKCS12 EXPORT SUCCESSFUL
east #
 ipsec certutil -L -n west-notyetvalid -a > OUTPUT/west-notyetvalid.crt
east #
 ipsec certutil -F -n west-notyetvalid
east #
 ! ipsec vfychain -v -u 12 -p -p -p -a OUTPUT/west-notyetvalid.crt
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=west-notyetvalid :
  ERROR -8181: Peer's Certificate has expired.
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec auto --add nss-cert
"nss-cert": added IKEv2 connection
east #
 echo "initdone"
initdone
east #
 # will only show up on east - note "expired" is wrong and should be "not yet valid"
east #
 grep '^".*ERROR' /tmp/pluto.log
"nss-cert" #1: NSS: ERROR: IPsec certificate CN=west-notyetvalid invalid: SEC_ERROR_EXPIRED_CERTIFICATE: Peer's Certificate has expired.
east #
 
