diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-11-16 03:42:49 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-11-16 18:14:23 +0100 |
| commit | 65013d222a9e612aaaaf49ee03ceed5d6c154f59 (patch) | |
| tree | 31294fa92b455358a609e6c21721e6057378cc61 /base/ocsp/shared | |
| parent | 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b (diff) | |
| download | pki-65013d222a9e612aaaaf49ee03ceed5d6c154f59.tar.gz pki-65013d222a9e612aaaaf49ee03ceed5d6c154f59.tar.xz pki-65013d222a9e612aaaaf49ee03ceed5d6c154f59.zip | |
Fixed hanging subordinate CA with HSM installation in FIPS mode.
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
Diffstat (limited to 'base/ocsp/shared')
0 files changed, 0 insertions, 0 deletions