summaryrefslogtreecommitdiff
path: root/man/ipsec.secrets.5.in
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipsec.secrets.5.in')
-rw-r--r--man/ipsec.secrets.5.in21
1 files changed, 17 insertions, 4 deletions
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index 319d4856b..ee20c9670 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -91,6 +91,9 @@ defines an RSA private key
.B ECDSA
defines an ECDSA private key
.TP
+.B P12
+defines a PKCS#12 container
+.TP
.B EAP
defines EAP credentials
.TP
@@ -133,16 +136,26 @@ Similarly, a character sequence beginning with
.B 0s
is interpreted as Base64 encoded binary data.
.TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
.TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
For the private key file both absolute paths or paths relative to
\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
.B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
whenever it is required to decrypt the key.
.TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
.B <user id> : EAP <secret>
The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
.br
@@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to
the module name defined in strongswan.conf(5).
Instead of specifying the pin code statically,
.B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
.LP
.SH FILES