When an ECC CA is set up (with the bug fix from https://bugzilla.redhat.com/show_bug.cgi?id=455305), no subsystems can be hook onto the same security domain. The reason is because all the certs on the same system share the same key type. so, during the installation of a CA, if you select "ECC" then all the system certs (Ca signing, SSL server, OCSP signing, subsystem, etc.) are all ECC certs. With an ECC ssl server cert, only ECC-aware clients can establish connection with it. So, in the case when one tries to install a subordinate CA for example, the connection to the security domain (admin port) will fail because it tries to use SSL server auth.
VERIFIED for other subsystems like OCSP, KRA succesfully. 1/ successful ECC OCSP installation and OCSP signing cert in EC ############################################# [root@beta ~]# certutil -L -d /var/lib/pki-ocsp-in1/alias/ -h nethsm2k -n "nethsm2k:ocspSigningCert cert-pki-ocsp-in1" Enter Password or Pin for "nethsm2k": Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: X9.62 ECDSA signature with SHA256 Issuer: "CN=Certificate Authority,OU=pki-ca-in1,O=DsdevSjcRedhat Doma in in1" Validity: Not Before: Mon Jan 24 13:26:46 2011 Not After : Sun Jan 13 13:26:46 2013 Subject: "CN=OCSP Signing Certificate,OU=pki-ocsp-in1,O=DsdevSjcRedha t Domain in1" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:05:2b:81:04:00:26 EC Public Key: PublicValue: 04:01:cd:69:4a:23:fc:b4:51:0b:0d:17:3d:ff:ef:fb: 6c:7d:3d:f1:20:58:04:98:e8:f6:18:ac:c5:9f:96:d2: b4:62:c3:cb:66:57:f7:dc:9d:39:1c:98:bf:83:cc:3a: f5:d1:9d:e9:c6:d7:a2:83:19:12:48:02:cc:9b:18:1e: d5:53:c9:fb:a4:0f:ea:06:0a:05:1a:e3:35:15:b3:7c: 5b:14:77:b4:8c:cd:1e:52:22:49:34:ae:b9:cd:1e:5a: cd:e8:c7:b0:09:20:30:85:9e:3e:ef:ba:48:e0:af:47: 0b:73:71:d0:b9:da:88:92:34:77:9c:87:4e:cf:a2:ba: 95:d1:47:34:43:39:62:56:d2:b0:bf:5b:57:7a:77:27: 07 Curve: SECG elliptic curve sect571k1 (aka NIST K-571) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: ec:0c:f6:06:f0:58:5d:12:d3:60:94:c6:15:f6:d2:82: f4:9c:d8:6d Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://beta.dsdev.sjc.redhat.com:51380/ca/ocsp" Name: Extended Key Usage OCSP Responder Certificate Name: OCSP No Check Extension Data: NULL Signature Algorithm: X9.62 ECDSA signature with SHA256 Signature: 30:81:87:02:41:63:f6:64:86:5c:38:c4:2b:c8:34:f4: ab:5a:32:b9:1b:dc:e3:46:99:c1:ef:0c:6e:ad:0c:44: bf:ec:7c:3a:ea:0f:af:d4:3d:bb:6f:8d:d1:b1:3b:87: a4:cb:f1:f5:84:17:09:0a:cd:71:4d:60:46:2d:f6:59: 3a:55:f7:29:5e:7a:02:42:01:76:14:14:17:c5:f7:26: b5:82:ec:48:f0:0a:fd:64:ce:e5:d7:d0:e8:4d:a5:a3: 44:e6:71:7f:5c:8c:7d:18:88:83:80:4b:92:5e:ae:f7: 02:37:94:0c:ce:71:da:38:49:52:a5:68:49:94:65:0e: 61:4b:99:51:2f:0a:9e:31:cc:74 Fingerprint (MD5): 40:90:23:8A:BB:26:EF:82:82:15:C0:11:AF:61:F1:EC Fingerprint (SHA1): 5C:AA:E6:CE:C7:FC:C8:62:6A:0C:8E:A5:C4:FF:49:51:3F:07:EE:B3 Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User ############################################# 2/ Successful ECC DRM (storage cert) ############################################# [root@beta alias]# certutil -L -d /var/lib/pki-kraink1/alias/ -h nethsm2k -n "nethsm2k:storageCert cert-pki-kraink1" Enter Password or Pin for "nethsm2k": Certificate: Data: Version: 3 (0x2) Serial Number: 16 (0x10) Signature Algorithm: X9.62 ECDSA signature with SHA256 Issuer: "CN=Certificate Authority,OU=pki-ca-in1,O=DsdevSjcRedhat Doma in in1" Validity: Not Before: Mon Jan 24 15:45:23 2011 Not After : Sun Jan 13 15:45:23 2013 Subject: "CN=DRM Storage Certificate,OU=pki-kraink1,O=DsdevSjcRedhat Domain in1" Subject Public Key Info: Public Key Algorithm: X9.62 elliptic curve public key Args: 06:05:2b:81:04:00:23 EC Public Key: PublicValue: 04:01:1a:df:7d:2e:4b:54:ee:e2:0c:e4:11:72:73:a2: 1d:f6:0f:e3:8d:36:1d:60:5f:d0:80:f2:12:cb:8b:b7: 01:51:bc:94:38:eb:2e:03:fe:b7:38:0c:e9:60:72:52: 70:88:90:67:b0:65:03:42:79:c5:25:b8:79:67:59:bf: 44:2e:76:00:26:e1:4e:67:86:62:8e:9b:8a:e9:c9:b2: 5f:f1:c0:f5:f5:0e:ea:c9:48:a4:11:dd:19:00:fa:a1: 1c:d4:ee:59:5c:d4:fb:0a:56:7f:90:b7:4f:68:e0:7b: 44:c7:34:0e:1d:f3:9a:b1:3e:d8:5c:c8:f6:3b:f5:f6: 27:94:0d:81:71 Curve: SECG elliptic curve secp521r1 (aka NIST P-521) #####################################################