Hi,

The password.conf file stores system passwords in plaintext, and I prefer to enter system passwords manually and to remove the password file.

I have found original documentation https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html. But it is for older version on PKI and does not work with systemd.

How to setup PKI CA to ask for NSS DB password at startup?

Packages versions (I have rebuilt F22 packages for CentOS 7):
# rpm -qa | grep pki
pki-base-10.2.5-1.el7.centos.noarch
pki-server-10.2.5-1.el7.centos.noarch
dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
pki-ca-10.2.5-1.el7.centos.noarch
pki-tools-10.2.5-1.el7.centos.x86_64
dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch

Aleksey