rcritten
commented
2 years ago Here it used the NSS Certificate DB token which doesn't have the private key hence the false positive.
Closed rcritten closed 1 year ago
rcritten
commented
2 years ago Here it used the NSS Certificate DB token which doesn't have the private key hence the false positive.
For example the certificate may be visible in the softoken but it is stored in a PKCS#11 token so lacks the private key:
{ "source": "ipahealthcheck.ipa.certs", "check": "IPACertNSSTrust", "result": "ERROR", "uuid": "1568211a-4276-4c49-a41c-b71853027609", "when": "20220728182829Z", "duration": "0.262080", "kw": { "key": "subsystemCert cert-pki-ca", "expected": "u,u,u", "got": ",,", "nickname": "subsystemCert cert-pki-ca", "dbdir": "/etc/pki/pki-tomcat/alias", "msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got} expected {expected}." }