Re: [Openca-Users] Error in Phase 1 (Generate new CA secret key) with nCipher

Mon, 17 Jan 2005 10:32:39 -0800 

Hi Johnny,

> PKI Master Alert: Aborting all operations
> PKI Master Alert: Error:   7154001
> PKI Master Alert: Message: Key generation not
> supported.
> PKI Master Alert: debugging messages of empty token
> follow
> OpenCA::OpenSSL->_stop_shell: try to stop shell
> OpenCA::OpenSSL->_stop_shell: try to stop shell

as documented in the OpenCA guide, key generation is not supported
by OpenCA's nCipher module. If I remember correctly, then
you followed my suggestions in the guide concerning the key
ceremony. If this is the case, then you already have a usable
RSA key for use as CA key, it's probably named rsa-rootkey.

So simply skip the "Generate private key" step in CA initialization.
Just advance to the next step, e. g. create a CA certificate request
to be signed by your Root CA.

This was the logical part of your problem.
The error log indicates that your nCipher module (or better the
command line tools) is a bit slow in answering requests. When I
wrote the module I was a bit too optimistic about execution speed.
So the nCipher Perl module assumes that e. g. the command

/opt/bin/nfast/nfkmverify hwcrhk rsa-rootkey

terminates within 6 seconds. (You can try this on the command line.)

In one of the next releases I will raise the timeout and make it
configurable.
For the time being, you will have to modify the program code to
make it work:

Edit the OpenCA/Token/nCipher.pm file. In the constructor you will
find the following:

                # timeout for external nCipher utilities.
                # there are several error conditions that may lead to
                # nCipher tools not terminating (such as switching off
                # a SCSI attached module). in order to gracefully handle
                # this we introduce a sensible timeout after which the
                # command will be terminated.
                CHECKCMDTIMEOUT => 6,

Change this value to something higher, e. g. 15 to make it timeout
after 15 seconds. You can estimate the value by the time the above
command needs to complete for your system.

Sorry for the inconvenience...

Martin



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to