[Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM

Ade Lee alee at redhat.com
Thu Sep 29 15:24:29 UTC 2011 

Interesting ..

This makes sense.  One of things we do on the pk12 import panel is
contact the master to get things like key ids and the replication
password.  I need to look at the error reporting in that panel so that
the error is reported more clearly.

And yes, the rekey would likely have been an issue later on.

Glad its all working now.

Ade

On Thu, 2011-09-29 at 10:41 -0400, Patrick.Raspante at gdc4s.com wrote:
> Ade,
> 
> BTW, this is on CS8 GA.
> 
> I've been able to complete the P12 import wizard page. The issue was that the Master CA's 'replicationdb' entry in the cms.passwordlist of CS.cfg was removed (unused extra prompt at startup). 
> 
> The rekey wasn't an issue on the p12 import page, but may be an issue for me later in the wizard during certificate generation.
> 
> 
> Patrick 
> 
> -----Original Message-----
> From: Ade Lee [mailto:alee at redhat.com] 
> Sent: Monday, September 26, 2011 11:51 AM
> To: Raspante, Patrick
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard UsingnCipher netHSM
> 
> Patrick, 
> 
> This should work - given that the master's keys are visible to the
> clone.  The only thing this suggests is that the nicknames that are sent
> from the master to the clone are incorrect at the beginning of the
> install process are incorrect.
> 
> To diagnose this, I'll need to know:
> 
> 1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common)
> 2. Copy of debug log for both master and clone.
> 3. Copy of CS.cfg for both master and clone.
> 4.  Is the HSM in FIPS mode?
> 
> Thanks, 
> Ade
> 
> On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante at gdc4s.com wrote:
> > Given a Master CA with existing keys in an ncipher netHSM:
> > 
> > From Guide:
> > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/cloning-a-ca.html
> > 
> > Documentation says there need not be any extra intervention to export
> > and import HSM keys if the new Clone resides on the same server as the
> > Master:
> > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/exporting-keys.html
> > 
> > Cannot get past step 10. Leaving the p12 path and p12 password fields
> > blank (do no import p12's) results in an end of file sax parse error.
> > 
> > Tried feeding the wizard a dummy p12. Get an error message "Clone is
> > not ready". Debug log files reveals that not all require certificates
> > have been imported.
> > 
> >  
> > 
> > Also worth noting that before running the Clone Wizard:
> > 
> >  
> > 
> > # cd /var/lib/CLONE-CA/alias
> > # modutil -dbdir . -list
> > 
> > --The netHSM module is listed
> > 
> > # certutil -L -d . -h <token-name>
> > 
> > --Lists all of MASTER-CA’s certificates/keys are available.
> > 
> >  
> > 
> > Has anyone identified a workaround for this?
> > 
> >  
> > 
> > Thanks
> > 
> > -pwr
> > 
> > 
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list