Issue #1403: HSM Clones: Transport 'master' NSS db certs to 'clone' NSS db - dogtagpki

dogtagpki

#1403 HSM Clones: Transport 'master' NSS db certs to 'clone' NSS db

Closed: Fixed None Opened 8 years ago by mharmsen.

During testing, it was discovered that when creating a clone on an HSM, we still require transportation of the 'master' NSS db software certificates to the 'clone' NSS db in order to provide the proper Trust attributes to the certificates on the HSM.

IMPORTANT:  These software certificates are only used to establish
            the trust flags on the certificates that are actually
            stored on the HSM; all private keys are stored on the HSM.

Proposed Milestone: 10.2.5

mharmsen commented 8 years ago

Sample workaround 1 for a CA using 'certutil':
```
MASTER:

# cd /var/lib/pki/pki-tomcat/alias

# certutil -d . -n "caSigningCert cert-pki-tomcat CA" -L  -a > casign.crt

# certutil -d . -n "auditSigningCert cert-pki-tomcat CA" -L  -a > caaudit.crt

CLONE:

# cd /var/lib/pki/pki-tomcat/alias

Copy 'casign.crt' and caaudit.crt' from the 'master' to this directory.

# certutil -A -d . -n "caSigningCert cert-pki-tomcat CA" -t "CTu,CTu,CTu" -a -i casign.crt

# certutil -A -d . -n "auditSigningCert cert-pki-tomcat CA" -t "u,u,Pu" -a -i caaudit.crt

# systemctl restart pki-tomcatd@pki-tomcat.service

mharmsen commented 8 years ago

Sample alternative workaround 2 for a CA using 'certutil':

CLONE:

    # cd /var/lib/pki/pki-tomcat/alias

    # certutil -d . -n "dev-intca:caSigningCert cert-pki-tomcat CA" -t "CTu,CTu,CTu" -h dev-intca -M
    Enter Password or Pin for "dev-intca":

    # certutil -d . -n "dev-intca:auditSigningCert cert-pki-tomcat CA" -t "u,u,Pu" -h dev-intca -M
    Enter Password or Pin for "dev-intca":

    # systemctl restart pki-tomcatd@pki-tomcat.service

dminnich commented 8 years ago

Could pki_backup_keys be used to accomplish the needed? Seems like we had to not specify that to use an hsm though.

mharmsen commented 8 years ago

Per IRC conversation, vakwetu volunteered to create the patch if mharmsen would test it.

mharmsen commented 8 years ago

Fix for HSM cloning issue (vakwetu + minor changes from mharmsen)
20150616-Fix-for-HSM-cloning-issue.patch

mharmsen commented 8 years ago

Successfully tested on master-clone LunaSA setup.

mharmsen commented 8 years ago

Checked into 'master':

ce50ced9c842f6232bf136ba77233f05e95c80b7

Metadata Update from @mharmsen:
- Issue assigned to vakwetu
- Issue set to the milestone: 10.2.5

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1964

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

vakwetu

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

10.2.5

lowhangingfruit

None

reporter

None

rhbz

None

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

RHCust

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Installation/Configuration

proposedmilestone

None

dogtagpki

Source Code

#1403 HSM Clones: Transport 'master' NSS db certs to 'clone' NSS db Closed: Fixed None Opened 8 years ago by mharmsen.

Metadata

#1403 HSM Clones: Transport 'master' NSS db certs to 'clone' NSS db

Closed: Fixed None Opened 8 years ago by mharmsen.