while testing the fix for bug 374247 certutil -S -n NewCert5 -s "O=BLA,C=US" -h "scaFIPS" -t ,,, -x -d . Enter Password or Pin for "scaFIPS": ...deleted text... Generating key. This may take a few moments... certutil: could not change trust on certificate: The operation failed because the PKCS#11 token is not logged in. --- the key and cert were generated certutil -K -d . -h scaFips certutil: Checking token "scaFIPS" in slot "scaFIPS" Enter Password or Pin for "scaFIPS": < 0> rsa 583003972b23ac4890166562f9b56ceb68dd489b scaFIPS:NewCert5 certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI NewCert5 ,, I got the same error for cert9 on another box with a sca6000 card where the token is not in FIPS mode.
Summary: using "sql/cert9 db" certutil is not able to successfully create a new certificate using a hardware token → using "sql/cert9 db" certutil cannot set trust on a new certificate created using a hardware token
I have a similar issue when adding a certificate to HW token, after successful export of key and signing by a CA: [xxx@xxxxxxxx:] hw-nss$ certutil -h dev-xx-xx -d . -A -n test-hw-nss -t "p,p,p" -i test-hw-nss.crt Enter Password or Pin for "dev-xx-xx": < then password entry > certutil: could not change trust on certificate: The operation failed because the PKCS#11 token is not logged in.
You need to log in before you can comment on or make changes to this bug.