[Pki-devel] [PATCH] 867 Fixed hanging subordinate CA with HSM installation in FIPS mode.
Endi Sukma Dewata
edewata at redhat.com
Wed Nov 16 05:02:21 UTC 2016
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
--
Endi S. Dewata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-edewata-0867-Fixed-hanging-subordinate-CA-with-HSM-installation-i.patch
Type: text/x-patch
Size: 2792 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20161115/660c2411/attachment.bin>
More information about the Pki-devel
mailing list