Right now we assume keys are stored unencrypted. That's probably not going to fly with everyone, and since NSS-using apps typically support storing a PIN in a file somewhere when unattended operation is required, we probably need to support it, too. This needs to be tracked and handled on a per-request basis, since key locations can be different for each.
The getcert command doesn't have -p or -P options yet, so those can be used for specifying the PIN's location or value. Will probably need to add another "stuck" state for "can't access key store".
Initial support landed in 0.18.
to comment on this ticket.