From f0e3715b39ea2682f4ef689f5d5864e16117fb00 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 27 Aug 2015 07:37:24 +0200 Subject: [PATCH] cert renewal: Automatically update KRA agent PEM file https://fedorahosted.org/freeipa/ticket/5253 Reviewed-By: Alexander Bokovoy --- install/restart_scripts/renew_ra_cert | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 1f8fcae6fa09033f7a5c6448e0bbef14a5f76844..93ffd4035723831f3955bcdf5a2082fd1ec5e22a 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -29,7 +29,7 @@ import traceback from ipapython import ipautil from ipalib import api -from ipaserver.install import certs, cainstance +from ipaserver.install import certs, cainstance, krainstance from ipaplatform import services from ipaplatform.paths import paths @@ -60,6 +60,16 @@ def _main(): # Load it into dogtag cainstance.update_people_entry(dercert) + + kra = krainstance.KRAInstance(api.env.realm) + if kra.is_installed(): + # export ipaCert with private key for client authentication + args = ["/usr/bin/pki", + "-d", paths.HTTPD_ALIAS_DIR, + "-C", paths.ALIAS_PWDFILE_TXT, + "client-cert-show", "ipaCert", + "--client-cert", paths.KRA_AGENT_PEM] + ipautil.run(args) finally: shutil.rmtree(tmpdir) -- 2.5.1