-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-9.7
-
None
-
No
-
None
-
rhel-idm-cs
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Description of problem:
PKI CLI operation-pki client cert request fails with unfriendly error when password is not provided
Version-Release number of selected component (if applicable):
idm-pki-tools-11.7.0-0.1.beta1.el9.x86_64
pki-resteasy-servlet-initializer-3.0.26-19.el9.noarch
idm-pki-server-11.7.0-0.1.beta1.el9.noarch
idm-pki-ca-11.7.0-0.1.beta1.el9.noarch
idm-pki-kra-11.7.0-0.1.beta1.el9.noarch
How reproducible:
Always
Steps to Reproduce:
1. Install CA and KRA by running QE automation
2. Create NSSDB with client-cert-import and import certificate i.e
- pki -d /tmp/nssdb -c SECret.123 -P http -p 20080 client-cert-import --ca-server RootCA
- pki -d /tmp/nssdb -c SECret.123 -P http -p 20080 client-cert-import --pkcs12
/opt/topology-02-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
2. Try to perform Cert Request and Approval with and without NSSDB Password: - pki -d /tmp/nssdb -P http -p 20080 client-cert-request 'uid=testday'
- pki -d /tmp/nssdb -c SECret.123 -P http -p 20080 client-cert-request 'uid=testday'
:ExpectedResults:
1. It should create NSSDB with client-cert-import
2. It should generate error in while creating CSR without nssdb password
3. It should process the cert request and approval with nssdb password.
Actual results:
- pki -d /root/nssdb2 -c SECret.123 client-init
NSS database already exists in /root/nssdb2.
Overwrite (y/N)? y
[root@pki1 pki-pytest-ansible]# pki -d /tmp/nssdb2 -c SECret.123 -P http -p 20080 client-cert-import --ca-server RootCA
[root@pki1 pki-pytest-ansible]# pki -d /tmp/nssdb2 -c SECret.123 -P http -p 20080 client-cert-import --pkcs12 /opt/topology-02-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
Imported certificates from PKCS #12 file
[root@pki1 pki-pytest-ansible]# certutil -L -d /tmp/nssdb2
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - topology-02_Foobarmaster.org CT,C,C
PKI CA Administrator for Example.Org u,u,u
[root@pki1 pki-pytest-ansible]# pki -d /tmp/nssdb2 -P http -p 20080 client-cert-request 'uid=testday'
org.mozilla.jss.crypto.TokenException: unable to login to token
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags(Native Method)
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateKeyPair(PK11KeyPairGenerator.java:351)
at org.mozilla.jss.crypto.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:50)
at com.netscape.cmsutil.crypto.CryptoUtil.generateRSAKeyPair(CryptoUtil.java:476)
at org.dogtagpki.nss.NSSDatabase.createRSAKeyPair(NSSDatabase.java:1010)
at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:260)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:694)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:733)
[root@pki1 pki-pytest-ansible]# pki -d /tmp/nssdb2 -P http -p 20080 -c SECret.123 client-cert-request 'uid=testday'
Request ID: 0x5c73ea2d2fb7c21b7a73bf4e96dd5a28
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Tue Jul 29 10:57:21 EDT 2025
Modification Time: Tue Jul 29 10:57:21 EDT 2025
REFERENCE :
https://bugzilla.redhat.com/show_bug.cgi?id=1843537
- is cloned by
-
-
- New
-
