The pkispawn and CS.cfg provide several parameters to specify the token name for each system certificate:
However, the current code disregards the token names specified in the above parameters and it will only use the token name specified in pki_token_name, which limits its use and may cause some confusions.
One option is to fix the code to read the token names from the right parameters, allowing the system certificate to be created in different tokens. For example, the CA certificate might be created in HSM, while the other certificates are created in internal token.
Another option is to remove the above parameters, so all system certificates will always be created in the same token.
Per PKI Bug Council of 08/31/2016: 10.3.6
To ssh://vakwetu@git.fedorahosted.org/git/pki.git 1195ee9..bc65e12 master -> master
Checked into master:
Cherry-picked into DOGTAG_10_3_BRANCH:
From 261e550a25ced3c61fc0c3afeb910d17b7472a3c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" edewata@redhat.com Date: Mon, 29 Aug 2016 08:33:05 +0200 Subject: [PATCH 03/10] Added support to create system certificates in different tokens.
Previously all system certificates were always created in the same token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started.
After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token.
https://fedorahosted.org/pki/ticket/2449 (cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3)
Reverted from master (10.4) due to issue reported in bug #1374054:
Reverted from DOGTAG_10_3_BRANCH due to issue reported in Bugzilla Bug #1374054 - ipa-replica-install fails setting up certificate server:
commit 744c506e41f33c7532c0ce8ab08f12bc75d79506
Author: Endi S. Dewata <edewata@redhat.com> Date: Thu Sep 8 20:06:19 2016 +0200 Removed support for creating system certificates in different tokens. The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted. https://fedorahosted.org/pki/ticket/2449 (cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)
Per CS/DS meeting of 09/12/2016: 10.4 (critical)
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.4
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue priority set to: 1 (was: 2)
Upgraded priority to coincide with associated Bugzilla Bug.
Per PKI Bug Council of 03/23/2017:
Metadata Update from @mharmsen: - Issue priority set to: 3 (was: 1)
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Issue set to the milestone: FUTURE (was: 10.4)
Metadata Update from @edewata: - Issue priority set to: blocker (was: major) - Issue set to the milestone: 10.6 (was: FUTURE)
This blocks PKI 10.6 installation with HSM. The SSL server cert and key need to be created in the internal token, while other certs are keys need to be created in HSM.
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue set to the milestone: 10.6.0 (was: 10.6) - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2569
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.