Can't sign intermediate CA csr with Nitrokey HSM2 and PKIAAS

After creating my root CA on my HSM2, I intend to sign an intermediate CA with it.

In the navigation bar, I go to CA / Import Signer. I get the following error:

HTTP ERROR 500 org.mozilla.javascript.EcmaError: TypeError: The element type “p” must be terminated by the matching end-tag “

”. (/usr/share/pkiaas/pki-as-a-service/processes/ImportX509SignerRequestController.js#170) at /usr/share/pkiaas/pki-as-a-service/processes/ImportX509SignerRequestController.js#156 at /usr/share/pkiaas/pki-as-a-service/ui/ServiceRequestController.js#472 at /usr/share/pkiaas/pki-as-a-service/ui/ServiceRequestController.js#602 at /usr/share/pkiaas/pki-as-a-service/ui/CAGUI.js#607 at /usr/share/pkiaas/scsh/srv-cc1/ApplicationServer.js#429 at /usr/share/pkiaas/scsh/srv-cc1/ApplicationServer.js#534 at /usr/share/pkiaas/apps/startup.js#156
URI: /se/paas/sr/new
STATUS: 500
MESSAGE: org.mozilla.javascript.EcmaError: TypeError: The element type “p” must be terminated by the matching end-tag “

”. (/usr/share/pkiaas/pki-as-a-service/processes/ImportX509SignerRequestController.js#170) at /usr/share/pkiaas/pki-as-a-service/processes/ImportX509SignerRequestController.js#156 at /usr/share/pkiaas/pki-as-a-service/ui/ServiceRequestController.js#472 at /usr/share/pkiaas/pki-as-a-service/ui/ServiceRequestController.js#602 at /usr/share/pkiaas/pki-as-a-service/ui/CAGUI.js#607 at /usr/share/pkiaas/scsh/srv-cc1/ApplicationServer.js#429 at /usr/share/pkiaas/scsh/srv-cc1/ApplicationServer.js#534 at /usr/share/pkiaas/apps/startup.js#156
SERVLET: org.openscdp.scriptingserver.ScriptingServlet-2f54a33d
Powered by Jetty:// 10.0.12

This looks like a bug in PKI-as-a-Service?

Never got pkiaas to work myself, so thank you for exploring the path.

This looks like some stupid HTML error somewhere. I tried once to build the software from source, but this was never a priority to me. But I guess this could be fixed easily.

Fixed in 1.0.326 on the integration branch. Should be fixed if you redeploy.

The bug has been there since Oct 22, but we recently upgrade the Rhino engine and the newer version seems to be more pedantic on XML structures.

Btw. “Import Signer” is probably not what you are looking for. If it is an external Sub-CA then you need a PKCS#10 Request from that CA and process it with “Home” / “Request Certificate (PKCS#10)”

“Import Signer” can be used to import an existing key pair and certificate on the token.

1 Like

I would have confirmed if that was fixed but could not find how to redeploy from the integration branch :thinking:

Anyway, I used the “Request Certificate (PKCS#10)” menu entry and could do what I wanted. Thanks for the quick fix and the heads up.

1 Like