I'm using Dogtag 10.1.1 with SafeNet Luna SA HSM. I changed the flags in the default.cfg file, performed the install, then added the PKCS#11 library to secmod. However, either using the Wizard to do the configuration or modifying the default.cfg file again and using pkispawn failed to get CA keys generated on the HSM. Wizard doesn't see the SafeNet library (does it have to be in a specific directory?) and pkispawn throws an error "pkispawn : ERROR ....... KeyError: 'pki_uid'!" I noticed this was reported in ticket #905.
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski@yahoo.com
From: Marc Sauton <msauton@redhat.com> To: Dennis Gnatowski <dgnatowski@yahoo.com>; "pki-users@redhat.com" <pki-users@redhat.com> Sent: Monday, November 3, 2014 3:10 PM Subject: Re: [Pki-users] CA integration and installation with HSM
On 11/02/2014 09:09 AM, Dennis
Gnatowski wrote:
What are the steps to integrate DogTag (Root) CA with an
HSM? Does this have to occur during installation?
I've successfully
performed a general installation with CA keys in software. I
was then able to modify secmod.db to add the HSM library and
restart the system. I can both use command line utilities
(certutil) and GUI (pkiconsole) to create keys on the HSM.
Re-keying the caSigning certificate works but the CA
certificate is issued (issuer) by the original software-based
issuer (therefore NOT a self-signed CA cert!). So I assume
this has to be done during initial installation (custom
install). But, how do I get the HSM PKCS#11 library
added/included with the custom install?
-----------------------------------------------------------
Dennis Gnatowski
dgnatowski@yahoo.com
Adding the PKCS #11 module to secmod.db should happen after the
pkicreate and just before running the silent install or the web
based configuration wizard.
In Dogtag 10, when using pkispawn, you can split the install and
config steps in two using the flags pki_skip_configuration and
pki_skip_installation.
M.