Issue with ant runinstall: Crypto Token Unavailable Despite HSM Key Existing #959
Archer3457
started this conversation in
General
Replies: 1 comment
-
|
Moving to discussions. You can read about HSM support and requirements on objects here: https://docs.keyfactor.com/ejbca/latest/hardware-security-modules-hsm For the Nitro HSM there is specific documentation here, with instructions how to use clientToolBox to generate and test keys. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I'm currently installing EJBCA 9.1 and encountered an issue during the ant runinstall step. The system throws the following error:
Crypto token was unavailable: No key with alias 'defaultRoot'
However, I have verified that the key with alias defaultRoot does exist in my HSM. It appears that EJBCA is unable to access or recognize it, despite the key being present.
Below is a summary of my troubleshooting steps. I would greatly appreciate any guidance or suggestions to resolve this issue.
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK04020300000 ) 00 00
token label : test (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 4.1
serial num : DENK0402030
pin min/max : 6/15
cat /opt/ejbca/conf/catoken.properties
sharedLibrary /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
slotLabelType=SLOT_NUMBER
slotLabelValue=0
CA key configuration
defaultKey defaultRoot
certSignKey signRoot
crlSignKey signRoot
testKey testRoot
alternativeCertSignKey alternativeSignRoot
3.pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --pin myhsmpin-O
Using slot 0 with a present token (0x0)
Private Key Object; RSA
label: tlsKey0001
ID: 746c734b657930303031
Usage: decrypt, sign, signRecover, unwrap
Access: sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
label: tlsKey0001
subject: DN: CN=Dummy certificate created by a CESeCore application
serial: 01997B6E6A04
ID: 746c734b657930303031
Public Key Object; RSA 2048 bits
label: tlsKey0001
ID: 746c734b657930303031
Usage: encrypt, verify, verifyRecover
Access: local
Private Key Object; RSA
label: defaultRoot
ID: 55e05a93150d590c3c1665a55b51941afd951f7e
Usage: decrypt, sign, signRecover
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: defaultRoot
ID: 55e05a93150d590c3c1665a55b51941afd951f7e
Usage: encrypt, verify, wrap
Access: none
Private Key Object; RSA
label: signRoot
ID: 3ac2892256df120c7da6599deaf64a1301549a09
Usage: decrypt, sign, signRecover
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: signRoot
ID: 3ac2892256df120c7da6599deaf64a1301549a09
Usage: encrypt, verify, wrap
Access: none
Private Key Object; RSA
label: testRoot
ID: 6521fd0ad496117b8fcd1afce1d827d4bfa6c03e
Usage: decrypt, sign, signRecover
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: testRoot
ID: 6521fd0ad496117b8fcd1afce1d827d4bfa6c03e
Usage: encrypt, verify, wrap
Access: none
Profile object 1595259152
profile_id: CKP_PUBLIC_CERTIFICATES_TOKEN (4)
ant runinstall
Buildfile: /opt/ejbca/build.xml
customejbca.message:
[echo] No custom changes to merge.
runinstall:
check:bootstrapdone:
ejbca:prompt:
[input] skipping input as property ca.name has already been set.
[input] skipping input as property ca.dn has already been set.
[input] skipping input as property ca.keytype has already been set.
[input] skipping input as property ca.keyspec has already been set.
[input] skipping input as property ca.signaturealgorithm has already been set.
[input] skipping input as property ca.validity has already been set.
[input] skipping input as property ca.policy has already been set.
[echo] To set httpsserver.hostname you need to configure conf/web.properties. See sample config file conf/web.properties.sample.
[input] skipping input as property httpsserver.hostname has already been set.
[echo]
[echo] Common Name (CN) of httpsserver dn is by default taken from the httpsserver.hostname.
[input] skipping input as property httpsserver.dn has already been set.
[input] skipping input as property superadmin.cn has already been set.
[input] skipping input as property superadmin.dn has already been set.
[input] skipping input as property superadmin.batch has already been set.
[input] skipping input as property superadmin.password has already been set.
[input] skipping input as property ca.tokenpassword has already been set.
ejbca:deploytrustprompt:
[input] skipping input as property java.trustpassword has already been set.
ejbca:deployprompt:
[input] skipping input as property httpsserver.password has already been set.
ejbca:init:
[echo]
[echo] ------------------- CA Properties ----------------
[echo] ca.name : ManagementCA
[echo] ca.dn : CN=ManagementCA,O=EJBCA Sample,C=SE
[echo] ca.tokentype : org.cesecore.keys.token.PKCS11CryptoToken
[echo] ca.keytype : RSA
[echo] ca.keyspec : 2048
[echo] ca.signaturealgorithm : SHA256WithRSA
[echo] ca.validity : 3650
[echo] ca.policy : null
[echo] ca.tokenproperties : /opt/ejbca/conf/catoken.properties
[echo] httpsserver.hostname : localhost
[echo] httpsserver.dn : CN=localhost,O=EJBCA Sample,C=SE
[echo] httpsserver.tokentype : P12
[echo] superadmin.cn : SuperAdmin
[echo] superadmin.dn : CN==SuperAdmin,O=EJBCA Sample,C=SE
[echo] superadmin.batch : true
[echo] appserver.home : /opt/wildfly
[echo]
ejbca:install:
ejbca:initCA:
[echo] Initializing CA with 'ManagementCA' 'CN=ManagementCA,O=EJBCA Sample,C=SE' 'org.cesecore.keys.token.PKCS11CryptoToken' '<ca.tokenpassword hidden>' '2048' 'RSA' '3650' 'null' 'SHA256WithRSA' --tokenprop "/opt/ejbca/conf/catoken.properties" -superadmincn 'SuperAdmin'...
[java] 08:22:08.009 [main] ERROR org.ejbca.ui.cli.ca.CaInitCommand - Crypto token was unavailable: No key with alias 'defaultRoot'.
BUILD FAILED
/opt/ejbca/build.xml:77: The following error occurred while executing this line:
/opt/ejbca/bin/cli.xml:98: The following error occurred while executing this line:
/opt/ejbca/bin/cli.xml:126: The following error occurred while executing this line:
/opt/ejbca/bin/cli.xml:211: Java returned: 1
Total time: 7 seconds
Thank you in advance for your support.
Beta Was this translation helpful? Give feedback.
All reactions