From f0e3715b39ea2682f4ef689f5d5864e16117fb00 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Thu, 27 Aug 2015 07:37:24 +0200

Subject: [PATCH] cert renewal: Automatically update KRA agent PEM file

https://fedorahosted.org/freeipa/ticket/5253

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 install/restart_scripts/renew_ra_cert | 12 +++++++++++-

 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert

index 1f8fcae6fa09033f7a5c6448e0bbef14a5f76844..93ffd4035723831f3955bcdf5a2082fd1ec5e22a 100644

--- a/install/restart_scripts/renew_ra_cert

+++ b/install/restart_scripts/renew_ra_cert

@@ -29,7 +29,7 @@ import traceback

 from ipapython import ipautil

 from ipalib import api

-from ipaserver.install import certs, cainstance

+from ipaserver.install import certs, cainstance, krainstance

 from ipaplatform import services

 from ipaplatform.paths import paths

@@ -60,6 +60,16 @@ def _main():

             # Load it into dogtag

             cainstance.update_people_entry(dercert)

+

+        kra = krainstance.KRAInstance(api.env.realm)

+        if kra.is_installed():

+            # export ipaCert with private key for client authentication

+            args = ["/usr/bin/pki",

+                    "-d", paths.HTTPD_ALIAS_DIR,

+                    "-C", paths.ALIAS_PWDFILE_TXT,

+                    "client-cert-show", "ipaCert",

+                    "--client-cert", paths.KRA_AGENT_PEM]

+            ipautil.run(args)

     finally:

         shutil.rmtree(tmpdir)

-- 

2.5.1