チョーチュアン via FreeIPA-users wrote:
Hello,
Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
CA generation, but it's a separate issue. I somehow achieve a successful
key generation on HSM with default key_algorimth/size/ settings. RSA
3072/2048 keys showed up on the HSM even after a failed CA installation
but not the case with ECC keys.
The error was:
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f',
'/tmp/tmp877ip58a'] returned
non-zero exit status 1:
pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
sslv3 alert handshake failure (_ssl.c:1056)
configuration : ERROR Server failed to restart
pkispawn : ERROR Exception: server failed to restart
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line
547, in main
scriptlet.spawn(deployer)
File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn
raise Exception("server failed to restart")
')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
and configuration was:
```
[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp384
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219
pki_random_serial_numbers_enable=True
```
You're really on the bleeding edge. I don't know that HSM works reliably
yet. An ECC CA is not something we're planning on ever doing (keys too
small) so you're on your own with that.
rob