Thanks for the feed, and yes, I have the RSA CA working apart from a negotiation error. 

On Wed, May 29, 2019 at 12:11 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ti, 28 touko 2019, Rob Crittenden via FreeIPA-users wrote:
>チョーチュアン via FreeIPA-users wrote:
>> Hello,
>>
>> Recently I've been experimenting on HSM with FreeIPA, I got stuck at the
>> CA generation, but it's a separate issue. I somehow achieve a successful
>> key generation on HSM with default key_algorimth/size/ settings. RSA
>> 3072/2048 keys showed up on the HSM even after a failed CA installation
>> but not the case with ECC keys.
>>
>> The error was:
>> Failed to configure CA instance: CalledProcessError(Command
>> ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned
>> non-zero exit status 1:
>>
>> pkihelper     : ERROR    Server unreachable due to SSL error:
>> [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE]
>>
>> sslv3 alert handshake failure (_ssl.c:1056)
>>
>> configuration : ERROR    Server failed to restart
>> pkispawn      : ERROR    Exception: server failed to restart
>>
>>   File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line
>> 547, in main
>>     scriptlet.spawn(deployer)
>>   File
>> "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
>> line 670, in spawn
>>     raise Exception("server failed to restart")
>> ')
>> See the installation logs and the following files/directories for more
>> information:
>>   /var/log/pki/pki-tomcat
>>   [error] RuntimeError: CA configuration failed.
>> CA configuration failed.
>>
>> and configuration was:
>> ```
>> [DEFAULT]
>> ipa_key_algorithm=SHA256withEC
>> ipa_key_size=nistp384
>> ipa_key_type=ecc
>> ipa_signing_algorithm=SHA256withEC
>> pki_ca_signing_key_size=nistp384
>>
>> pki_hsm_enable=True
>> pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
>> pki_hsm_modulename=nitrohsm
>> pki_token_name=UserPIN (SmartCard-HSM)
>> pki_token_password=648219
>>
>> pki_random_serial_numbers_enable=True
>> ```
>
>You're really on the bleeding edge. I don't know that HSM works reliably
>yet. An ECC CA is not something we're planning on ever doing (keys too
>small) so you're on your own with that.
Yes, to both not supporting ECC CA (following NIST recommendations) and
to not have it working yet in Dogtag with HSM.

Do I understand right that for non-ECC CA you have it working apart from
a negotiation error? I think Christian saw negotiation error too and
there should be a bug opened at Dogtag side for something related.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


--
Regards,

Quan Zhou

F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822@gmail.com