There are 2 Problems:
<snip> pkispawn : DEBUG ........... No connection - exception thrown: [Errno 111] Connection refused pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standal one="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status>< Version>10.2.5-3.el7pki</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : DEBUG ....... Error Type: ValueError pkispawn : DEBUG ....... Error Message: invalid literal for int() with base 10: 'nistp256' pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi guration.py", line 112, in spawn data = deployer.config_client.construct_pki_configuration_data() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4026, in construct_pki_configuration_data self.set_admin_parameters(data) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4421, in set_admin_parameters noise_file, int(self.mdict['pki_admin_keysize'])) </snip>
If i do not specify pki_admin_keysize , then by default Administrator's cert is created with RSA. even though i specify pki_admin_keytype=ecc
$ pki -d /opt/cmcreq/test -c 'redhat' -n "PKI Administrator for example.org" cert ProcessingException: Unable to invoke request
$ pki -d /opt/cmcreq/test -c 'redhat' -n "PKI Administrator for example.org" user ProcessingException: Unable to invoke request
Steps to Reproduce:
1. Install CA with ECC 2. Use default admin certificate to create new users using pki command
Actual results:
unable to create new users,groups
Expected results:
Should be able to create new users, groups, Should be able to create Admin cert using ECC during installation.
Additional info:
ca Instance creation inf file used in my setup is: [DEFAULT] pki_instance_name=Foobar1-CA pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_dualkey=True pki_admin_keytype=ecc pki_admin_password=Secret123 #Security Domain pki_hostname=pki3.example.org pki_security_domain_name=Foobar.org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/Foobar1-CA pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_audit_signing_key_type=ecc pki_audit_signing_key_size=nistp256 pki_audit_signing_key_algorithm=SHA256withEC pki_audit_signing_signing_algorithm=SHA256withEC pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-RootCA pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123
if you were to add the the pki_admin_key_size, would it have worked then? If so, the real issue is more on the cli then? Please clarify this in this ticket as well as the subject line.
Per CS/DS Meeting of 07/27/2015: 10.2.7
Checked into master:
Modified in 10.2.6-4.
Metadata Update from @mrniranjan: - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2063
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.