Re: [Pki-users] CS 8.0: Cannot Complete CA Cloning Wizard Using nCipher netHSM
Patrick,
This should work - given that the master's keys are visible to the
clone. The only thing this suggests is that the nicknames that are sent
from the master to the clone are incorrect at the beginning of the
install process are incorrect.
To diagnose this, I'll need to know:
1. Versions of pki-ca and pki-common (rpm -q pki-ca pki-common)
2. Copy of debug log for both master and clone.
3. Copy of CS.cfg for both master and clone.
4. Is the HSM in FIPS mode?
Thanks,
Ade
On Sun, 2011-09-25 at 10:18 -0400, Patrick.Raspante(a)gdc4s.com wrote:
Given a Master CA with existing keys in an ncipher netHSM:
From Guide:
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Ins...
Documentation says there need not be any extra intervention to export
and import HSM keys if the new Clone resides on the same server as the
Master:
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Ins...
Cannot get past step 10. Leaving the p12 path and p12 password fields
blank (do no import p12's) results in an end of file sax parse error.
Tried feeding the wizard a dummy p12. Get an error message "Clone is
not ready". Debug log files reveals that not all require certificates
have been imported.
Also worth noting that before running the Clone Wizard:
# cd /var/lib/CLONE-CA/alias
# modutil -dbdir . -list
--The netHSM module is listed
# certutil -L -d . -h <token-name>
--Lists all of MASTER-CA’s certificates/keys are available.
Has anyone identified a workaround for this?
Thanks
-pwr
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users