# Do not populate NSS DB, check it is empty
east #
 /testing/guestbin/swan-prep
east #
 certutl -L -d sql:/etc/ipsec.d
-bash: certutl: command not found
east #
 # setup softhsm with east's PKCS12 info
east #
 #SOFTHSM2_CONF="/etc/softhsm2.conf"
east #
 #SOFTHSM2_TOKEN_DIR="$(grep 'directories.tokendir' "$SOFTHSM2_CONF" | cut -d '=' -f 2 | sed 's/ //g')"
east #
 export GNUTLS_PIN=123456
east #
 export GNUTLS_SO_PIN=12345678
east #
 export GNUTLS_NEW_SO_PIN=12345678
east #
 # delete any old libreswan softhsm token
east #
 #OLDSOFTHSM=$(p11tool --list-tokens |grep libreswan |grep URL| sed "s/URL://")
east #
 #if [ -n "${OLDSOFTHSM}" ] ; then p11tool --batch --delete "${OLDSOFTHSM}" > /dev/null 2> /dev/null ; fi
east #
 rm -rf /var/lib/softhsm/tokens/*
east #
 # init new one
east #
 softhsm2-util --init-token --slot 0 --label libreswan --so-pin ${GNUTLS_SO_PIN} --pin ${GNUTLS_PIN}
The token has been initialized and is reassigned to slot 1456307527
east #
 p11tool --provider PATH/lib64/pkcs11/libsofthsm2.so --id 01 --write --load-certificate /testing/x509/certs/east.crt --label eastCert --login
east #
 p11tool --provider PATH/lib64/pkcs11/libsofthsm2.so --id 02 --write --load-privkey /testing/x509/keys/east.key --label eastKey --login
east #
 p11tool --provider PATH/lib64/pkcs11/libsofthsm2.so --id 03 --write --trusted --ca --load-certificate /testing/x509/cacerts/mainca.crt --label eastCA --so-login
east #
 p11tool --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=libreswan" --login
Object 0:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ac1fd4cd56cd7d47;token=libreswan;id=%02;object=eastKey;type=private
	Type: Private key (RSA-3072)
	Label: eastKey
	Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; 
	ID: 02
Object 1:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ac1fd4cd56cd7d47;token=libreswan;id=%03;object=eastCA;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: TIMESTAMP
	Label: eastCA
	Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED; 
	ID: 03
Object 2:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ac1fd4cd56cd7d47;token=libreswan;id=%01;object=eastCert;type=cert
	Type: X.509 Certificate (RSA-3072)
	Expires: TIMESTAMP
	Label: eastCert
	ID: 01
east #
 CERT_URI=$(p11tool --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=libreswan" --login | grep 'type=cert' | grep 'URL:' | cut -d ':' -f '2-' | sed 's/ //g' | grep "id=%01" )
east #
 KEY_URI=$(p11tool --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=libreswan" --login | grep 'type=private' | grep 'URL:' | cut -d ':' -f '2-' | sed 's/ //g' | grep "id=%02")
east #
 echo "CERT_URI=${CERT_URI}"
CERT_URI=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ac1fd4cd56cd7d47;token=libreswan;id=%01;object=eastCert;type=cert
east #
 echo "KEY_URI=${KEY_URI}"
KEY_URI=pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=ac1fd4cd56cd7d47;token=libreswan;id=%02;object=eastKey;type=private
east #
 echo -e "conn eastcert\n\trightcert=${CERT_URI}" > OUTPUT/eastcert.conf
east #
 echo -e "NSS Certificate DB:${GNUTLS_PIN}\nNSS FIPS 140-2 Certificate DB:${GNUTLS_PIN}\nlibreswan:${GNUTLS_PIN}" > /etc/ipsec.d/nsspassword
east #
 ipsec start
Redirecting to: [initsystem]
east #
 /testing/pluto/bin/wait-until-pluto-started
east #
 ipsec auto --add westnet-eastnet-ikev2

[ broken from here ]

east #
 
