Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA
generation, but it's a separate issue. I somehow achieve a successful key
generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048
keys showed up on the HSM even after a failed CA installation but not the
case with ECC keys.
The error was:
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp877ip58a'] returned
non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart
pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn
raise Exception("server failed to restart")
')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
and configuration was:
```
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219
pki_random_serial_numbers_enable=True
```
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com