On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
チョーチュアン via FreeIPA-users wrote:
> Hello,
>
> Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
> CA generation, but it's a separate issue. I somehow achieve a successful
> key generation on HSM with default key_algorimth/size/ settings. RSA
> 3072/2048 keys showed up on the HSM even after a failed CA installation
> but not the case with ECC keys.
>
> The error was:
> Failed to configure CA instance: CalledProcessError(Command
> ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp877ip58a'] returned
> non-zero exit status 1:
>
> pkihelper : ERROR Server unreachable due to SSL error:
> [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
>
> sslv3 alert handshake failure (_ssl.c:1056)
>
> configuration : ERROR Server failed to restart
> pkispawn : ERROR Exception: server failed to restart
>
> File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line
> 547, in main
> scriptlet.spawn(deployer)
> File
>
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
> line 670, in spawn
> raise Exception("server failed to restart")
> ')
> See the installation logs and the following files/directories for more
> information:
> /var/log/pki/pki-tomcat
> [error] RuntimeError: CA configuration failed.
> CA configuration failed.
>
> and configuration was:
> ```
> [DEFAULT]
> ipa_key_algorithm=SHA256withEC
> ipa_key_size=nistp384
> ipa_key_type=ecc
> ipa_signing_algorithm=SHA256withEC
> pki_ca_signing_key_size=nistp384
>
> pki_hsm_enable=True
> pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
> pki_hsm_modulename=nitrohsm
> pki_token_name=UserPIN (SmartCard-HSM)
> pki_token_password=648219
>
> pki_random_serial_numbers_enable=True
> ```
You're really on the bleeding edge. I don't know that HSM works reliably
yet. An ECC CA is not something we're planning on ever doing (keys too
small) so you're on your own with that.
Yes, to both not supporting ECC CA
(following NIST recommendations) and
to not have it working yet in Dogtag with HSM.
Do I understand right that for non-ECC CA you have it working apart from
a negotiation error? I think Christian saw negotiation error too and
there should be a bug opened at Dogtag side for something related.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland