-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.2
-
None
-
None
-
None
-
rhel-idm-pki
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
When doing a client cert request if no password is provided behavior is not helpful
What is the impact of this issue to you?
Customer Experience
Please provide the package NVR for which the bug is seen:
- more /etc/redhat-release
Red Hat Enterprise Linux release 10.2 Beta (Coughlan)
- rpm -qa | grep pki
python3-idm-pki-11.7.1-1.el10.noarch
idm-pki-base-11.7.1-1.el10.noarch
idm-pki-java-11.7.1-1.el10.noarch
idm-pki-tools-11.7.1-1.el10.x86_64
idm-pki-server-11.7.1-1.el10.noarch
idm-pki-acme-11.7.1-1.el10.noarch
idm-pki-ca-11.7.1-1.el10.noarch
idm-pki-kra-11.7.1-1.el10.noarch
How reproducible is this bug?:
Always
Steps to reproduce
Install CA and PKI discrete PKI topology subsystems
Execute: pki -d /tmp/nssdb -P http -p 20080 client-cert-request "uid=testcert"
Expected results
Expected Result: Successful if command provided but prompt the user for a password if none is provided.
Actual results
Initialize db and provide no password:
- pki -d /tmp/nssdb -P http -p 20080 client-cert-request 'uid=testday'
org.mozilla.jss.crypto.TokenException: unable to login to token
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags(Native Method)
at org.mozilla.jss.pkcs11.PK11KeyPairGenerator.generateKeyPair(PK11KeyPairGenerator.java:351)
at org.mozilla.jss.crypto.KeyPairGenerator.genKeyPair(KeyPairGenerator.java:50)
at com.netscape.cmsutil.crypto.CryptoUtil.generateRSAKeyPair(CryptoUtil.java:476)
at org.dogtagpki.nss.NSSDatabase.createRSAKeyPair(NSSDatabase.java:1010)
at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:260)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:694)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:733)
To see this error change the nssdb passwd
-
- certutil -d /tmp/nssdb -W*
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
- certutil -d /tmp/nssdb -W*
Enter new password:
Re-enter password:
Provide no password :
- pki -d ~/.dogtag/pki-tomcat -P http -p 20080 client-cert-request "uid=testcert"
Request ID: 0x499b9c236a9aed42473fb43be87d142f
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Mon Dec 15 15:55:56 EST 2025
Modification Time: Mon Dec 15 15:55:56 EST 2025
Provide bogus password
[root@vm-10-0-186-191 ~]# pki -d ~/.dogtag/pki-tomcat -P http -p 20080 -c BBABABABABPWD client-cert-request "uid=testcert"
Request ID: 0xeb6355a207908aa2d890d0078795ea8b
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Mon Dec 15 15:56:33 EST 2025
Modification Time: Mon Dec 15 15:56:33 EST 2025
