-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipa-healthcheck doesn't support certificates stored in tokens #276
Comments
Here it used the NSS Certificate DB token which doesn't have the private key hence the false positive. |
rcritten
pushed a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Sep 29, 2022
dogtagpki supports storing its subsystem and CA certificates on an HSM. Look up the token name and password in the NSS db password file. If a token exists then include that in the lookup and expect (require) the CA, audit, ocsp and subsystem certificates to be there. If a KRA is also configured then those certificates will be in the HSM as well. PKI supports mixing and matching but for now this only supports a simplistic one HSM or no HSM. This requires an update to IPA where certificates can be looked up by token. At this point HSM is not yet supported in IPA but once it is then this will just work. Fixes: freeipa#276 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Sep 30, 2022
dogtagpki supports storing its subsystem and CA certificates on an HSM. Look up the token name and password in the NSS db password file. If a token exists then include that in the lookup and expect (require) the CA, audit, ocsp and subsystem certificates to be there. If a KRA is also configured then those certificates will be in the HSM as well. PKI supports mixing and matching but for now this only supports a simplistic one HSM or no HSM. This requires an update to IPA where certificates can be looked up by token. At this point HSM is not yet supported in IPA but once it is then this will just work. Fixes: freeipa#276 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 18, 2022
dogtagpki supports storing its subsystem and CA certificates on an HSM. Look up the token name and password in the NSS db password file. If a token exists then include that in the lookup and expect (require) the CA, audit, ocsp and subsystem certificates to be there. If a KRA is also configured then those certificates will be in the HSM as well. PKI supports mixing and matching but for now this only supports a simplistic one HSM or no HSM. This supports the existing IPA CertDB and NSSDatabase APIs as well as IPA 4.9.x. Fixes: freeipa#276 Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten
added a commit
to rcritten/freeipa-healthcheck
that referenced
this issue
Nov 18, 2022
This required changes to the mock CAInstance to support the HSM properties in DogtagInstance. Fixes: freeipa#276 Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten
added a commit
that referenced
this issue
Dec 1, 2022
dogtagpki supports storing its subsystem and CA certificates on an HSM. Look up the token name and password in the NSS db password file. If a token exists then include that in the lookup and expect (require) the CA, audit, ocsp and subsystem certificates to be there. If a KRA is also configured then those certificates will be in the HSM as well. PKI supports mixing and matching but for now this only supports a simplistic one HSM or no HSM. This supports the existing IPA CertDB and NSSDatabase APIs as well as IPA 4.9.x. Fixes: #276 Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten
added a commit
that referenced
this issue
Dec 1, 2022
This required changes to the mock CAInstance to support the HSM properties in DogtagInstance. Fixes: #276 Signed-off-by: Rob Crittenden <rcritten@redhat.com
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For example the certificate may be visible in the softoken but it is stored in a PKCS#11 token so lacks the private key:
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "1568211a-4276-4c49-a41c-b71853027609",
"when": "20220728182829Z",
"duration": "0.262080",
"kw": {
"key": "subsystemCert cert-pki-ca",
"expected": "u,u,u",
"got": ",,",
"nickname": "subsystemCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got} expected {expected}."
}
The text was updated successfully, but these errors were encountered: