[Pki-users] pkispawn with HSM is failing

Hi team. I'm trying to pkispawn a CA Subsystem with HSM on Deamnd using Thales Luna Cloud HSM. Following error appears : ============================================================ Installing CA into /var/lib/pki/pki-tomcat. Notice: Trust flag u is set automatically if the private key is present. AVERTISSEMENT: TomcatJSS: token for hardware-partition not found AVERTISSEMENT: TomcatJSS: token for hardware-partition not found AVERTISSEMENT: TomcatJSS: token for hardware-partition not found ERROR: ValueError: Unable to load certificate. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details. File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 989, in spawn sslserver = subsystem.get_subsystem_cert('sslserver') File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 163, in get_subsystem_cert cert_info = self.get_nssdb_cert_info(cert_id) File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 198, in get_nssdb_cert_info return nssdb.get_cert_info(nickname, token=token) File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 1334, in get_cert_info cert_obj = x509.load_pem_x509_certificate( File "/usr/lib64/python3.9/site-packages/cryptography/x509/base.py", line 399, in load_pem_x509_certificate return backend.load_pem_x509_certificate(data) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1344, in load_pem_x509_certificate raise ValueError( Installation failed: Unable to load certificate. See https://cryptography.io/en/latest/faq.html#why-can-t-i-import-my-pem-file for more details. ============================================================ I don't know if I'm missing something. When installation is failing, using modutil -dbdir . -list in the /var/lib/pki/pki-tomcat/alias directory gives following result : Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.71 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. lunasa library name: /usr/safenet/lunaclient/lib/libCryptoki2_64.so uri: pkcs11:library-manufacturer=SafeNet%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-description=Chrystoki%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20;library-version=10.3 slots: 4 slots attached status: loaded slot: Luna G7 Slot token: uri: pkcs11: slot: Luna G7 Slot token: uri: pkcs11: slot: Luna G7 Slot token: uri: pkcs11: slot: Net Token Slot token: partition uri: pkcs11:token=partition;manufacturer=SafeNet;serial=1431305167971;model=Cryptovisor7 ----------------------------------------------------------- Instructions seem to be a bit scarce about it. Slot and partition were set following instructions on this documentation : https://thalesdocs.com/dpod/services/luna_cloud_hsm/client/configure/inde... And I don't know if this sample configuration is enough, https://thalesdocs.com/dpod/services/integrations/linux/redhat_certificat... Did anyone have any issue or about this ? Cheers, A.