Hello,

Recently I've been experimenting on HSM with FreeIPA, I got stuck at the CA generation, but it's a separate issue. I somehow achieve a successful key generation on HSM with default key_algorimth/size/ settings. RSA 3072/2048 keys showed up on the HSM even after a failed CA installation but not the case with ECC keys.

The error was:

Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned non-zero exit status 1:

pkihelper     : ERROR    Server unreachable due to SSL error:

[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]

sslv3 alert handshake failure (_ssl.c:1056)

configuration : ERROR    Server failed to restart

pkispawn      : ERROR    Exception: server failed to restart

  File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547, in main

    scriptlet.spawn(deployer)

  File "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 670, in spawn

    raise Exception("server failed to restart")

')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.

and configuration was:

```

[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219

pki_random_serial_numbers_enable=True

```

--