[Pki-devel] [PATCH] 867 Fixed hanging subordinate CA with HSM installation in FIPS mode.
Endi Sukma Dewata
edewata at redhat.com
Wed Nov 16 17:22:54 UTC 2016
On 11/15/2016 11:02 PM, Endi Sukma Dewata wrote:
> When installing subordinate CA with HSM, the installer calls the
> pki CLI (which is implemented using JSS) to validate the imported
> CA certificate in HSM. Normally, the HSM password is specified as
> CLI parameter, but in FIPS mode JSS requires both the HSM and the
> internal token passwords. Since the CLI only takes one password,
> JSS will prompt for the missing one on the console causing the
> installation to hang.
>
> As a temporary solution, the pki-server subsystem-cert-validate
> command has been modified to validate certificates stored in the
> internal token only and it will use the internal token password,
> so only a single password is required. Further investigation in
> CLI/JSS/NSS is needed to support validating certificates in HSM
> without password prompts.
>
> https://fedorahosted.org/pki/ticket/2543
ACKed by alee (thanks!). Pushed to master.
--
Endi S. Dewata
More information about the Pki-devel
mailing list