certmonger

#260 certmonger does not see all NSS tokens in certsave-n
Closed: fixed by rcritten. Opened by rcritten.

Closed: fixed
Reopen Issue

In certsave-n when writing a new certificate to a token a search is done of all available tokens to find a match. On a machine with a hardware HSM only the NSS internal tokens are being returned despite the token library correctly added using modutil.

The journal contains:

Apr 06 10:51:03 client.testrelm.test certmonger[576885]: 2023-04-06 10:51:03 [576885] Found token 'NSS Generic Crypto Services'.
Apr 06 10:51:03 client.testrelm.test certmonger[576885]: 2023-04-06 10:51:03 [576885] Token is named "NSS Generic Crypto Services", not "NHSM", skipping.
Apr 06 10:51:03 client.testrelm.test certmonger[576885]: 2023-04-06 10:51:03 [576885] Found token 'NSS Certificate DB'.
Apr 06 10:51:03 client.testrelm.test certmonger[576885]: 2023-04-06 10:51:03 [576885] Token is named "NSS Certificate DB", not "NHSM", skipping.
Apr 06 10:51:03 client.testrelm.test certmonger[571589]: 2023-04-06 10:51:03 [571589] Request5('20230406144134') moved to state 'NEED_TO_NOTIFY_ISSUED_SAVE_FAILED'

The NHSM token is not found at all.

To reproduce:
1. Install IPA with HSM support
2. ipa-cacert-manage renew --external-ca

PR https://pagure.io/certmonger/pull-request/261

Merged

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
Metadata
None
None
None
Lowest
Related Pull Requests
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.