[Pki-users] CA integration and installation with HSM
Christina Fu
cfu at redhat.com
Thu Nov 6 02:10:39 UTC 2014
You might want to check the basics first.
If you cd into your <dogtag instance directory>/alias
and perform
modutil -dbdir . -list
What do you see?
If you don't see the module, that means your HSM has not been loaded
correctly. If loaded correctly you should see info on the library name,
slots and status: loaded.
The library doesn't have to be in a specific location, but when you use
modutil to add you need to specify the libfile so it knows where to go.
Normally it is at /usr/lunasa/lib/ though.
I'll let someone who has knowledge about the pkispawn issue to answer
the rest of the question. Until then, you can try the above just to see
if your hsm has been loaded correctly.
Christina
On 11/05/2014 02:28 PM, Dennis Gnatowski wrote:
> I'm using Dogtag 10.1.1 with SafeNet Luna SA HSM. I changed the flags
> in the default.cfg file, performed the install, then added the PKCS#11
> library to secmod. However, either using the Wizard to do the
> configuration or modifying the default.cfg file again and using
> pkispawn failed to get CA keys generated on the HSM. Wizard doesn't
> see the SafeNet library (does it have to be in a specific directory?)
> and pkispawn throws an error "pkispawn : ERROR ....... KeyError:
> 'pki_uid'!" I noticed this was reported in ticket #905.
> -----------------------------------------------------------
> Dennis Gnatowski
> dgnatowski at yahoo.com
>
> ------------------------------------------------------------------------
> *From:* Marc Sauton <msauton at redhat.com>
> *To:* Dennis Gnatowski <dgnatowski at yahoo.com>; "pki-users at redhat.com"
> <pki-users at redhat.com>
> *Sent:* Monday, November 3, 2014 3:10 PM
> *Subject:* Re: [Pki-users] CA integration and installation with HSM
>
> On 11/02/2014 09:09 AM, Dennis Gnatowski wrote:
>> What are the steps to integrate DogTag (Root) CA with an HSM? Does
>> this have to occur during installation?
>>
>> I've successfully performed a general installation with CA keys in
>> software. I was then able to modify secmod.db to add the HSM library
>> and restart the system. I can both use command line utilities
>> (certutil) and GUI (pkiconsole) to create keys on the HSM. Re-keying
>> the caSigning certificate works but the CA certificate is issued
>> (issuer) by the original software-based issuer (therefore NOT a
>> self-signed CA cert!). So I assume this has to be done during
>> initial installation (custom install). But, how do I get the HSM
>> PKCS#11 library added/included with the custom install?
>> -----------------------------------------------------------
>> Dennis Gnatowski
>> dgnatowski at yahoo.com <mailto:dgnatowski at yahoo.com>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
> Adding the PKCS #11 module to secmod.db should happen after the
> pkicreate and just before running the silent install or the web based
> configuration wizard.
> In Dogtag 10, when using pkispawn, you can split the install and
> config steps in two using the flags pki_skip_configuration and
> pki_skip_installation.
> M.
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20141105/3fd8559e/attachment.htm>
More information about the Pki-users
mailing list