Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-126761

[RFE] Support storing LWCA private keys on an HSM

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.2
    • rhel-10.2
    • ipa
    • ipa-4.12.2-27.el10
    • Moderate
    • 1
    • rhel-idm-ipa
    • 13
    • 15
    • 1
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • IPA: RHELs for 10.2 and 9.8
    • Requested
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      cloned from https://pagure.io/freeipa/issue/9865

       

      LWCA private keys currently generated by PKI are stored in the CA NSS database. Custodia handles syncing keys between CAs.

      If PKI can generate a private key on an HSM, or some other mechanism, then we need to disable Custodia because the key will be synced using other means. This should be ok since on HSM installs custodia is already disabled.

      PKI has the capability to generate a LWCA private key on the HSM by specifying the token name along with a colon as the prefix, e.g. mytoken:lwca.

      We need to abstract that to not require users to remember to use the token name when generating a LWCA.

              frenaud@redhat.com Florence Renaud
              ftrivino@redhat.com Francisco Trivino Garcia
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: