Installed Dogtag 10.7.0-1.fc30 with SoftHSM and disabled p11-kit. And with bug fix https://pagure.io/dogtagpki/issue/3093 https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8
And with the following configuration file
$ vi /root/dogtag-ca-softhsm.cfg
[DEFAULT] pki_server_database_password=redhat123
pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so pki_hsm_modulename=softhsm pki_token_name=Dogtag pki_token_password=redhat123
[CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=redhat123 pki_admin_uid=caadmin
pki_client_database_password=redhat123 pki_client_database_purge=False pki_client_pkcs12_password=redhat123
pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=redhat123 pki_ds_base_dn=o=pki-tomcat-CA
pki_security_domain_name=EXAMPLE
pki_ca_signing_token=Dogtag pki_ca_signing_nickname=ca_signing pki_ocsp_signing_token=Dogtag pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_token=Dogtag pki_audit_signing_nickname=ca_audit_signing pki_ssl_server_token=internal pki_sslserver_token=internal pki_sslserver_nickname=sslserver pki_subsystem_token=Dogtag pki_subsystem_nickname=subsystem
$ pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA
But the Audit and CA certificate is duplicated, both in Internal and HSM Token NSS DB. The private key for the above is not duplicated.
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
sslserver u,u,u ca_audit_signing u,u,Pu ca_signing CTu,Cu,Cu Dogtag:ca_signing CTu,Cu,Cu Dogtag:ca_audit_signing u,u,Pu Dogtag:ca_ocsp_signing u,u,u Dogtag:subsystem u,u,u
This will be a problem when adding certmonger monitoring in FreeIPA, because certmonger will not update both certificates.
For details see attached installation file. <img alt="InstallingDogtagWithSoftHSM-FINAL.txt" src="/dogtagpki/issue/raw/files/39674dbcecfa07c63fa1a8e0cd520f2154ad34dd5e18f6ebed794aad044e22dd-InstallingDogtagWithSoftHSM-FINAL.txt" />
A quick workaround would of course be to delete the Audit and CA certificate in the internal NSS DB, but does anyone knew the reason for why they are duplicated and is those 2 internal used in anyway?
$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_audit_signing' $ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_signing'
$ egrep "ca.cert.signing|ca.signing" /etc/pki/pki-tomcat/ca/CS.cfg ca.cert.signing.certusage=SSLCA ca.cert.signing.nickname=Dogtag:caSigningCert cert-pki-ca ca.signing.cacertnickname=caSigningCert cert-pki-ca ca.signing.cert=MIIEqTCCA... ca.signing.certnickname=caSigningCert cert-pki-ca ca.signing.certreq=MIIDtzCCA... ca.signing.defaultSigningAlgorithm=SHA256withRSA ca.signing.newNickname=Dogtag:caSigningCert cert-pki-ca ca.signing.nickname=caSigningCert cert-pki-ca ca.signing.tokenname=Dogtag
<img alt="CS.cfg" src="/dogtagpki/issue/raw/files/de61009480298b5cbcb56d6ad869c7d1121e8245829d5f9762892e4559b4f152-CS.cfg" />
Metadata Update from @cheimes: - Custom field component adjusted to IPA Integration - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue priority set to: major - Issue set to the milestone: 0.0 NEEDS_TRIAGE - Issue tagged with: HSM
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3222
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.