[Freeipa-users] ECC keypair generation failed with `ipa-server-instal` on HSM

Hello, Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys. The error was: Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1: pkihelper : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056) configuration : ERROR Server failed to restart pkispawn : ERROR Exception: server failed to restart File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main scriptlet.spawn(deployer) File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn raise Exception("server failed to restart") ') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. and configuration was: ``` [DEFAULT] ipa_key_algorithm=SHA256withEC ipa_key_size=nistp384 ipa_key_type=ecc ipa_signing_algorithm=SHA256withEC pki_ca_signing_key_size=nistp384 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so pki_hsm_modulename=nitrohsm pki_token_name=UserPIN (SmartCard-HSM) pki_token_password=648219 pki_random_serial_numbers_enable=True ``` -- Regards, Quan Zhou F2999657195657205828D56F35F9E5CDBD86324B quanzhou822(a)gmail.com