Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-144822

Some of the profiles missing keyParameter for MLDSA key size - SubCA and KRA installation failing

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • dogtag-pki
    • None
    • rhel-idm-pki
    • 2026-IDM-PKI-S2
    • 1
    • False
    • Hide

      None

      Show
      None
    • None

      Subca installation failing with MLDSA algo because of missing key length in below file :

      /var/lib/pki/topology-SubCA-mldsa-CA/ca/profiles/ca/caInstallCACert.cfg

       
      2026-01-28T11:23:15 FINE: Response:
      2026-01-28T11:23:15 <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>3</Status><Error>Request 2223875746967712914203781228499920449 Rejected - Key Parameters 2048,3072,4096,nistp256,nistp384,nistp521 Not Matched</Error><RequestId> 2223875746967712914203781228499920449</RequestId></XMLResponse>
      2026-01-28T11:23:15 FINE: CACertClient: Response: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>3</Status><Error>Request 2223875746967712914203781228499920449 Rejected - Key Parameters 2048,3072,4096,nistp256,nistp384,nistp521 Not Matched</Error><RequestId> 2223875746967712914203781228499920449</RequestId></XMLResponse>
      2026-01-28T11:23:15 FINE: CACertClient: - status: 3
      2026-01-28T11:23:15 SEVERE: Unable to generate certificate: Request 2223875746967712914203781228499920449 Rejected - Key Parameters 2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
      2026-01-28T11:23:15 java.io.IOException: Unable to generate certificate: Request 2223875746967712914203781228499920449 Rejected - Key Parameters 2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
      2026-01-28T11:23:15 at com.netscape.certsrv.ca.CACertClient.submitRequest(CACertClient.java:250)
      2026-01-28T11:23:15 at com.netscape.cmstools.ca.CACertIssueCLI.issueCert(CACertIssueCLI.java:231)
      2026-01-28T11:23:15 at com.netscape.cmstools.ca.CACertIssueCLI.execute(CACertIssueCLI.java:514)
      2026-01-28T11:23:15 at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:70)
      2026-01-28T11:23:15 at com.netscape.cmstools.cli.SubsystemCommandCLI.execute(SubsystemCommandCLI.java:232)
      2026-01-28T11:23:15 at com.netscape.cmstools.cli.MainCLI.executeCommand(MainCLI.java:710)
      2026-01-28T11:23:15 at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:759)
      2026-01-28T11:23:15 at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:799)
      2026-01-28T11:23:15 ERROR: CalledProcessError: Command ''pki', '-d', '/var/lib/pki/topology-SubCA-mldsa-SubCA/conf/alias', '-f', '/var/lib/pki/topology-SubCA-mldsa-SubCA/conf/password.conf', 'ca-cert-issue', '-U', '[https://pki1.example.com:20443' returned non-zero exit status 255.
      2026-01-28T11:23:15 File "/usr/lib/python3.14/site-packages/pki/server/pkispawn.py", line 594, in main
      2026-01-28T11:23:15 deployer.spawn()
      2026-01-28T11:23:15 ~~~~~~~~~~~~~~^^
      2026-01-28T11:23:15 File "/usr/lib/python3.14/site-packages/pki/server/deployment/_init_.py", line 5902, in spawn
      2026-01-28T11:23:15 scriptlet.spawn(self)
      2026-01-28T11:23:15 ~~~~~~~~~~~~~~~^^^^^^
      2026-01-28T11:23:15 File "/usr/lib/python3.14/site-packages/pki/server/deployment/scriptlets/configuration.py", line 137, in spawn
      2026-01-28T11:23:15 deployer.setup_system_certs(nssdb, subsystem)

              rh-ee-mfargett Marco Fargetta
              skhande shalini khandelwal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: