diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-11-15 21:32:53 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-11-16 05:57:51 +0100 |
| commit | 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b (patch) | |
| tree | 8dd0d4e4dec89b3fdd5aa05e829be765a88c3b4a /base/server/python | |
| parent | 54c04a1d7c270f4e162695105468d280bdc7d028 (diff) | |
| download | pki-0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b.tar.gz pki-0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b.tar.xz pki-0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b.zip | |
Fixed problem installing subordinate CA with HSM in FIPS mode.
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
Diffstat (limited to 'base/server/python')
| -rw-r--r-- | base/server/python/pki/server/__init__.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 13b325858..d556312a7 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -654,7 +654,8 @@ class PKIInstance(object): return pki.nssdb.NSSDatabase( directory=self.nssdb_dir, token=token, - password=self.get_token_password(token)) + password=self.get_token_password(token), + internal_password=self.get_token_password()) def external_cert_exists(self, nickname, token): for cert in self.external_certs: |