#3105 Dogtag Duplicates Audit and CA certificates in NSS DB when using HSM
Closed: migrated 3 years ago by dmoluguw. Opened 4 years ago by magnuskkarlsson.

Installed Dogtag 10.7.0-1.fc30 with SoftHSM and disabled p11-kit. And with bug fix
https://pagure.io/dogtagpki/issue/3093
https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8

And with the following configuration file

$ vi /root/dogtag-ca-softhsm.cfg

[DEFAULT]
pki_server_database_password=redhat123

pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so
pki_hsm_modulename=softhsm
pki_token_name=Dogtag
pki_token_password=redhat123

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=redhat123
pki_admin_uid=caadmin

pki_client_database_password=redhat123
pki_client_database_purge=False
pki_client_pkcs12_password=redhat123

pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local
pki_ds_ldap_port=389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=redhat123
pki_ds_base_dn=o=pki-tomcat-CA

pki_security_domain_name=EXAMPLE

pki_ca_signing_token=Dogtag
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_token=Dogtag
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_token=Dogtag
pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_token=internal
pki_sslserver_token=internal
pki_sslserver_nickname=sslserver
pki_subsystem_token=Dogtag
pki_subsystem_nickname=subsystem

$ pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA

But the Audit and CA certificate is duplicated, both in Internal and HSM Token NSS DB. The private key for the above is not duplicated.

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

sslserver u,u,u
ca_audit_signing u,u,Pu
ca_signing CTu,Cu,Cu
Dogtag:ca_signing CTu,Cu,Cu
Dogtag:ca_audit_signing u,u,Pu
Dogtag:ca_ocsp_signing u,u,u
Dogtag:subsystem u,u,u

This will be a problem when adding certmonger monitoring in FreeIPA, because certmonger will not update both certificates.

For details see attached installation file.
InstallingDogtagWithSoftHSM-FINAL.txt


A quick workaround would of course be to delete the Audit and CA certificate in the internal NSS DB, but does anyone knew the reason for why they are duplicated and is those 2 internal used in anyway?

$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_audit_signing'
$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_signing'

$ egrep "ca.cert.signing|ca.signing" /etc/pki/pki-tomcat/ca/CS.cfg
ca.cert.signing.certusage=SSLCA
ca.cert.signing.nickname=Dogtag:caSigningCert cert-pki-ca
ca.signing.cacertnickname=caSigningCert cert-pki-ca
ca.signing.cert=MIIEqTCCA...
ca.signing.certnickname=caSigningCert cert-pki-ca
ca.signing.certreq=MIIDtzCCA...
ca.signing.defaultSigningAlgorithm=SHA256withRSA
ca.signing.newNickname=Dogtag:caSigningCert cert-pki-ca
ca.signing.nickname=caSigningCert cert-pki-ca
ca.signing.tokenname=Dogtag

CS.cfg

Metadata Update from @cheimes:
- Custom field component adjusted to IPA Integration
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue priority set to: major
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
- Issue tagged with: HSM

4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3222

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata
Attachments 2
Attached 4 years ago View Comment