Description of problem: Currently pki client-cert-import doesn't support HSM token.
Version-Release number of selected component (if applicable):
pki-tools-10.5.1-13.1.el7_5.x86_64
How reproducible:
Steps to Reproduce: 1. Using PKCS10Client create a CSR using HSM token. 2. Approve the certificate using CMC method. Base 64 encoded certificate is stored in /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem 3. Execute: # pki -vvvv -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -c $PASSWORD --token $HSM client-cert-import "IssuanceProtectionSystemCert" --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem Server URI: http://$HOSTNAME:8080 Client security database: /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias Message format: null Command: client-cert-import IssuanceProtectionSystemCert --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem Module: client Module: cert-import Importing certificate from /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem. External command: /bin/certutil -A -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -f /tmp/pki-client-cert-import-899064207899981979.nssdb-pwd -i /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem -n IssuanceProtectionSystemCert -t u,u,u java.lang.Exception: Unable to import certificate file at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:351) at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:171) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) Caused by: com.netscape.cmstools.cli.CLIException: External command failed. RC: 255 at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:386) at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:358) at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:349) ... 5 more
# pki -vvvv -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -c $PASSWORD --token $HSM client-cert-import "IssuanceProtectionSystemCert" --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem Server URI: http://$HOSTNAME:8080 Client security database: /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias Message format: null Command: client-cert-import IssuanceProtectionSystemCert --cert /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem Module: client Module: cert-import Importing certificate from /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem. External command: /bin/certutil -A -d /var/lib/pki/rhcs93-ECC-CA-aakkiang-nocp11/alias -f /tmp/pki-client-cert-import-899064207899981979.nssdb-pwd -i /opt/rhqa_pki/ca_IssuanceProtectionSystemCert.pem -n IssuanceProtectionSystemCert -t u,u,u java.lang.Exception: Unable to import certificate file at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:351) at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:171) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.CLI.execute(CLI.java:345) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669) Caused by: com.netscape.cmstools.cli.CLIException: External command failed. RC: 255 at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:386) at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:358) at com.netscape.cmstools.client.ClientCertImportCLI.importCert(ClientCertImportCLI.java:349) ... 5 more
Actual results: client-cert-import fails.
Expected results: Certificate should be imported successfully.
https://bugzilla.redhat.com/show_bug.cgi?id=1594401
Metadata Update from @cipherboy: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1594401 - Custom field type adjusted to None - Custom field version adjusted to None
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3250
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.