From 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 15 Nov 2016 21:32:53 +0100
Subject: Fixed problem installing subordinate CA with HSM in FIPS mode.

Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.

First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.

https://fedorahosted.org/pki/ticket/2543
---
 base/server/python/pki/server/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 13b325858..d556312a7 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -654,7 +654,8 @@ class PKIInstance(object):
         return pki.nssdb.NSSDatabase(
             directory=self.nssdb_dir,
             token=token,
-            password=self.get_token_password(token))
+            password=self.get_token_password(token),
+            internal_password=self.get_token_password())
 
     def external_cert_exists(self, nickname, token):
         for cert in self.external_certs:
-- 
cgit