7:49 p.m.
Hi,
I've updated DogTag to the current modules available (FC11 x86_64):
dogtag-pki-ca-ui-1.3.1-1.fc11.noarch
dogtag-pki-common-ui-1.3.1-1.fc11.noarch
dogtag-pki-console-ui-1.3.1-1.fc11.noarch
pki-ca-1.3.3-1.fc11.noarch
pki-common-1.3.3-1.fc11.noarch
pki-console-1.3.1-1.fc11.noarch
pki-java-tools-1.3.1-1.fc11.noarch
pki-native-tools-1.3.0-5.fc11.x86_64
pki-selinux-1.3.4-1.fc11.noarch
pki-setup-1.3.4-1.fc11.noarch
pki-silent-1.3.2-1.fc11.noarch
pki-symkey-1.3.2-3.fc11.x86_64
pki-util-1.3.0-5.fc11.noarch
I've installed and successfully tested a Utimaco CryptoServer HSM
on the operating system, including adding it to secmod.db (in the
/var/lib/subca01/alias directory), generating a RSA key-pair,
issuing a self-signed and listing the objects using certutil (the
attached hsm-config.txt file shows sample output).
I've modified CS.cfg in /etc/subca01 to include this token (as the
attached modules.txt file shows).
I've even restarted pki-cad services after adding the HSM to secmod.db,
to ensure that the DogTag code reads secmod.db with the CryptoServer
configured in it.
However, when it comes time to install a Subordinate CA, the KeyStore
page claims that the Utimaco HSM is not found (see keystore-page.png)
even though it is correctly listed on the page under "Supported
Security Modules".
What am I missing?
How do I get DogTag to use the HSM to generate the key-pair?
Thanks.
Arshad Noor
StrongAuth, Inc.
# pet105:/var/lib/subca01/alias> modutil -dbdir . -nocertdb -list CryptoServer
-----------------------------------------------------------
Name: CryptoServer
Library file: /usr/local/utimaco/lib/libcs2_pkcs11.so
Manufacturer: Utimaco Safeware AG
Description: CryptoServer PKCS11 library
PKCS #11 Version 2.20
Library Version: 1.48
Cipher Enable Flags: None
Default Mechanism Flags: None
Slot: CryptoServer Device '/dev/cs2' - Slot No: 0
Slot Mechanism Flags: None
Manufacturer: Utimaco Safeware AG
Type: Hardware
Version Number: 0.0
Firmware Version: 1.6
Status: Enabled
Token Name: CBUAE TEST
Token Manufacturer: Utimaco Safeware AG
Token Model: CryptoServer
Token Serial Number: Se1000 CS410019
Token Version: 0.0
Token Firmware Version: 1.6
Access: NOT Write Protected
Login Type: Login required
User Pin: Initialized
-----------------------------------------------------------
# pet105:/var/lib/subca01/alias> certutil -K -d . -h "CBUAE TEST"
certutil: Checking token "CBUAE TEST" in slot "CryptoServer Device
'/dev/cs2' - Slot No: 0"
Enter Password or Pin for "CBUAE TEST":
< 0> rsa 1f391f4675efbc5a22d7aa7a0c762b08b793b87a (orphan)
< 1> rsa 8329905b66d6e34c25a63c23dee6cd65acc598f1 CBUAE TEST:testcert
# pet105:/var/lib/subca01/alias> certutil -L -d . -h "CBUAE TEST" -n
testcert
Enter Password or Pin for "CBUAE TEST":
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 123 (0x7b)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=TEST Cert"
Validity:
Not Before: Thu Apr 15 23:33:58 2010
Not After : Thu Jul 15 23:33:58 2010
Subject: "CN=TEST Cert"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ae:43:b3:10:f4:28:d0:e9:4a:b0:df:80:24:a8:1c:a7:
7f:fc:33:7c:1b:cd:57:e3:67:8f:fc:a6:a6:c5:07:01:
cf:67:3a:c6:6f:2f:16:4d:4b:66:92:6a:33:65:a9:24:
a1:57:d1:6e:79:73:72:0a:b8:fb:97:9e:bf:b5:34:df:
3c:a3:6b:54:4f:54:70:57:e8:70:ed:da:b1:c9:3a:3c:
35:c0:74:1c:06:be:2e:54:b1:21:c3:69:ec:77:d5:80:
49:8f:80:35:24:00:83:35:7c:a9:19:a7:3c:41:51:63:
a3:3b:0d:6a:b3:32:ec:16:b4:90:43:0c:98:ee:5a:f0:
05:c5:06:d0:1b:9f:ab:9d:56:43:e3:f1:87:a6:7e:4b:
5e:4e:4f:65:37:1c:42:79:73:fb:bf:1a:f4:ed:23:c3:
b7:16:5a:c9:1a:65:35:64:34:86:6a:10:5d:f3:66:25:
13:5a:85:49:e3:9a:07:00:05:ee:cf:2a:71:72:fe:3a:
ae:dd:4a:70:5a:a2:42:6e:33:3b:15:a2:4f:81:1c:30:
93:79:c4:11:db:5b:08:d6:55:73:d9:86:19:1d:87:cf:
4b:e6:e4:10:a0:b4:a2:84:68:4d:5a:53:b8:97:64:68:
07:9e:84:a7:e5:48:ac:be:01:19:be:8a:e6:95:20:19
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
44:b4:bf:8c:f5:22:4e:fe:42:64:5d:f4:e5:73:3a:25:
b8:8c:1e:1c:68:7a:65:ce:30:c2:f2:ab:41:1f:58:3b:
70:50:92:b4:81:fc:f4:5a:b1:f3:b3:69:6e:4e:7a:c0:
94:2a:b2:23:4e:41:24:59:0f:62:87:0d:a2:37:cb:67:
a5:d2:01:91:aa:74:0f:c0:27:f0:7d:d3:0b:16:48:f8:
d9:69:6b:b2:84:80:7e:71:79:5d:11:9d:d6:1a:47:4d:
62:ba:f6:09:28:41:36:e2:78:12:9b:41:fd:df:84:de:
b2:91:fa:3e:99:aa:04:17:3e:ff:f7:6f:19:78:4e:a7:
aa:77:0a:aa:d2:ee:d1:e4:f2:cf:92:68:e8:79:1f:f3:
10:b0:3e:bd:2d:33:a4:bc:7f:66:ea:31:71:c5:7c:4f:
a8:0f:db:25:f2:60:1d:dc:a5:98:73:e3:1e:4b:94:80:
5c:f7:65:69:21:ff:3a:30:55:f6:67:29:f3:e1:aa:a4:
b8:40:9b:c3:8e:90:3b:5b:18:95:36:89:23:22:32:8d:
7c:46:a8:5b:10:2c:2e:99:49:d5:cb:18:f1:04:8f:40:
7e:b7:80:d3:1f:32:50:78:2a:c9:b4:c5:e0:78:b9:93:
63:ac:b4:85:ca:7e:a8:36:9d:6c:58:4c:3a:2f:a7:66
Fingerprint (MD5):
3F:AD:29:3F:60:58:27:9D:19:66:88:AC:7A:BF:0A:DC
Fingerprint (SHA1):
9F:C1:1B:0A:08:D8:1C:80:50:60:BF:0A:47:5E:3E:2C:29:3C:52:CD
Certificate Trust Flags:
SSL Flags:
Valid Peer
Trusted
Email Flags:
Object Signing Flags:
# pet105:/etc/subca01> grep Modules CS.cfg
preop.configModules.count=4
preop.configModules.module0.commonName=NSS Internal PKCS #11 Module
preop.configModules.module0.imagePath=../img/clearpixel.gif
preop.configModules.module0.userFriendlyName=NSS Internal PKCS #11 Module
preop.configModules.module1.commonName=nfast
preop.configModules.module1.imagePath=../img/clearpixel.gif
preop.configModules.module1.userFriendlyName=nCipher's nFast Token Hardware Module
preop.configModules.module2.commonName=lunasa
preop.configModules.module2.imagePath=../img/clearpixel.gif
preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
preop.configModules.module3.commonName=CryptoServer
preop.configModules.module3.imagePath=../img/clearpixel.gif
preop.configModules.module3.userFriendlyName=Utimacos's CryptoServer Hardware Security
Module
