Open pki-bot opened 4 years ago
Comment from magnuskkarlsson at 2019-08-23 03:15:47
A quick workaround would of course be to delete the Audit and CA certificate in the internal NSS DB, but does anyone knew the reason for why they are duplicated and is those 2 internal used in anyway?
$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_audit_signing' $ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_signing'
$ egrep "ca.cert.signing|ca.signing" /etc/pki/pki-tomcat/ca/CS.cfg ca.cert.signing.certusage=SSLCA ca.cert.signing.nickname=Dogtag:caSigningCert cert-pki-ca ca.signing.cacertnickname=caSigningCert cert-pki-ca ca.signing.cert=MIIEqTCCA... ca.signing.certnickname=caSigningCert cert-pki-ca ca.signing.certreq=MIIDtzCCA... ca.signing.defaultSigningAlgorithm=SHA256withRSA ca.signing.newNickname=Dogtag:caSigningCert cert-pki-ca ca.signing.nickname=caSigningCert cert-pki-ca ca.signing.tokenname=Dogtag
Comment from cheimes (@tiran) at 2019-08-29 10:29:25
Metadata Update from @tiran:
I believe this is expected. Certificate "trust" is an NSS context that has no equivalent in PKCS#11 so the nickname and trust will appear in the NSS database because that is where it is stored. I don't think this is a bug but it is certainly not obvious and confusing. I'm not sure what, if anything, can be done about it.
This issue was migrated from Pagure Issue #3105. Originally filed by magnuskkarlsson on 2019-08-22 09:07:13:
Installed Dogtag 10.7.0-1.fc30 with SoftHSM and disabled p11-kit. And with bug fix https://pagure.io/dogtagpki/issue/3093 https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8
And with the following configuration file
$ vi /root/dogtag-ca-softhsm.cfg
[DEFAULT] pki_server_database_password=redhat123
pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so pki_hsm_modulename=softhsm pki_token_name=Dogtag pki_token_password=redhat123
[CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=redhat123 pki_admin_uid=caadmin
pki_client_database_password=redhat123 pki_client_database_purge=False pki_client_pkcs12_password=redhat123
pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=redhat123 pki_ds_base_dn=o=pki-tomcat-CA
pki_security_domain_name=EXAMPLE
pki_ca_signing_token=Dogtag pki_ca_signing_nickname=ca_signing pki_ocsp_signing_token=Dogtag pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_token=Dogtag pki_audit_signing_nickname=ca_audit_signing pki_ssl_server_token=internal pki_sslserver_token=internal pki_sslserver_nickname=sslserver pki_subsystem_token=Dogtag pki_subsystem_nickname=subsystem
$ pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA
But the Audit and CA certificate is duplicated, both in Internal and HSM Token NSS DB. The private key for the above is not duplicated.
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
sslserver u,u,u ca_audit_signing u,u,Pu ca_signing CTu,Cu,Cu Dogtag:ca_signing CTu,Cu,Cu Dogtag:ca_audit_signing u,u,Pu Dogtag:ca_ocsp_signing u,u,u Dogtag:subsystem u,u,u
This will be a problem when adding certmonger monitoring in FreeIPA, because certmonger will not update both certificates.
For details see attached installation file.