On Fri, Nov 5, 2021 at 7:15 AM <amaury.siharath@gmail.com> wrote:

Hi team.

I'm trying to pkispawn a CA Subsystem with HSM on Deamnd using Thales Luna Cloud HSM.

Following error appears :

============================================================
Installing CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
AVERTISSEMENT: TomcatJSS: token for hardware-partition not found
ERROR: ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details.
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 989, in spawn
sslserver = subsystem.get_subsystem_cert('sslserver')
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 163, in get_subsystem_cert
cert_info = self.get_nssdb_cert_info(cert_id)
File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 198, in get_nssdb_cert_info
return nssdb.get_cert_info(nickname, token=token)
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 1334, in get_cert_info
cert_obj = x509.load_pem_x509_certificate(
File "/usr/lib64/python3.9/site-packages/cryptography/x509/base.py", line 399, in load_pem_x509_certificate
return backend.load_pem_x509_certificate(data)
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1344, in load_pem_x509_certificate
raise ValueError(

Installation failed: Unable to load certificate. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details.
============================================================

I don't know if I'm missing something. When installation is failing, using modutil -dbdir . -list in the /var/lib/pki/pki-tomcat/alias directory gives following result :

Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.71
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

2. lunasa
library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
uri: pkcs11:library-manufacturer=SafeNet%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-description=Chrystoki%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-version=10.3
slots: 4 slots attached
status: loaded

slot: Luna G7 Slot
token:
uri: pkcs11:

slot: Luna G7 Slot
token:
uri: pkcs11:

slot: Luna G7 Slot
token:
uri: pkcs11:

slot: Net Token Slot
token: partition
uri: pkcs11:token=partition;manufacturer=SafeNet;serial=1431305167971;model=Cryptovisor7
-----------------------------------------------------------

Instructions seem to be a bit scarce about it. Slot and partition were set following instructions on this documentation : https://thalesdocs.com/dpod/services/luna_cloud_hsm/client/configure/index.html

And I don't know if this sample configuration is enough, https://thalesdocs.com/dpod/services/integrations/linux/redhat_certificate_system/index.html

Did anyone have any issue or about this ?

Cheers,
A.
_______________________________________________
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-leave@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s