Thanks for the feed, and yes, I have the RSA CA working apart from a
negotiation error.
On Wed, May 29, 2019 at 12:11 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
>チョーチュアン via FreeIPA-users wrote:
>> Hello,
>>
>> Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
>> CA generation, but it's a separate issue. I somehow achieve a successful
>> key generation on HSM with default key_algorimth/size/ settings. RSA
>> 3072/2048 keys showed up on the HSM even after a failed CA installation
>> but not the case with ECC keys.
>>
>> The error was:
>> Failed to configure CA instance: CalledProcessError(Command
>> ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp877ip58a'] returned
>> non-zero exit status 1:
>>
>> pkihelper : ERROR Server unreachable due to SSL error:
>> [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
>>
>> sslv3 alert handshake failure (_ssl.c:1056)
>>
>> configuration : ERROR Server failed to restart
>> pkispawn : ERROR Exception: server failed to restart
>>
>> File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py",
line
>> 547, in main
>> scriptlet.spawn(deployer)
>> File
>>
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
>> line 670, in spawn
>> raise Exception("server failed to restart")
>> ')
>> See the installation logs and the following files/directories for more
>> information:
>> /var/log/pki/pki-tomcat
>> [error] RuntimeError: CA configuration failed.
>> CA configuration failed.
>>
>> and configuration was:
>> ```
>> [DEFAULT]
>> ipa_key_algorithm=SHA256withEC
>> ipa_key_size=nistp384
>> ipa_key_type=ecc
>> ipa_signing_algorithm=SHA256withEC
>> pki_ca_signing_key_size=nistp384
>>
>> pki_hsm_enable=True
>> pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
>> pki_hsm_modulename=nitrohsm
>> pki_token_name=UserPIN (SmartCard-HSM)
>> pki_token_password=648219
>>
>> pki_random_serial_numbers_enable=True
>> ```
>
>You're really on the bleeding edge. I don't know that HSM works reliably
>yet. An ECC CA is not something we're planning on ever doing (keys too
>small) so you're on your own with that.
Yes, to both not supporting ECC CA (following NIST recommendations) and
to not have it working yet in Dogtag with HSM.
Do I understand right that for non-ECC CA you have it working apart from
a negotiation error? I think Christian saw negotiation error too and
there should be a bug opened at Dogtag side for something related.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com