Thanks for the feed, and yes, I have the RSA CA working apart from a
On Wed, May 29, 2019 at 12:11 AM Alexander Bokovoy <abokovoy(a)redhat.com>
On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
>チョーチュアン via FreeIPA-users wrote:
>> Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
>> CA generation, but it's a separate issue. I somehow achieve a successful
>> key generation on HSM with default key_algorimth/size/ settings. RSA
>> 3072/2048 keys showed up on the HSM even after a failed CA installation
>> but not the case with ECC keys.
>> The error was:
>> Failed to configure CA instance: CalledProcessError(Command
>> ['/usr/sbin/pkispawn', '-s', 'CA', '-f',
>> non-zero exit status 1:
>> pkihelper : ERROR Server unreachable due to SSL error:
>> [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
>> sslv3 alert handshake failure (_ssl.c:1056)
>> configuration : ERROR Server failed to restart
>> pkispawn : ERROR Exception: server failed to restart
>> File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py",
>> 547, in main
>> line 670, in spawn
>> raise Exception("server failed to restart")
>> See the installation logs and the following files/directories for more
>> [error] RuntimeError: CA configuration failed.
>> CA configuration failed.
>> and configuration was:
>> pki_token_name=UserPIN (SmartCard-HSM)
>You're really on the bleeding edge. I don't know that HSM works reliably
>yet. An ECC CA is not something we're planning on ever doing (keys too
>small) so you're on your own with that.
Yes, to both not supporting ECC CA (following NIST recommendations) and
to not have it working yet in Dogtag with HSM.
Do I understand right that for non-ECC CA you have it working apart from
a negotiation error? I think Christian saw negotiation error too and
there should be a bug opened at Dogtag side for something related.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland