diff --git a/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch b/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch
new file mode 100644
index 0000000..bdff388
--- /dev/null
+++ b/SOURCES/0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch
@@ -0,0 +1,39 @@
+From 5f1100e83146e898dca431d6cdaf62ab986e599d Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 9 Jun 2021 17:39:56 +0200
+Subject: [PATCH] CA less installation: non ASCII chars in CA subject
+
+In CA-less installation, ipa-server-install fails when the CA
+certificate contains a subject with non ASCII characters.
+
+ipa-server-install is internally calling ipautil.run(...)
+to launch a certutil -n nickname command, and the nickname is
+provided as a unicode instead of a string.
+
+The fix makes sure the nickname is provided as a utf-8
+encoded string.
+
+Fixes: https://pagure.io/freeipa/issue/8879
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipalib/install/certstore.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
+index 8b182958c26e066eaeca859f451073c83e82bd67..4d406c0ce34cb1bdd39dcbac70eae4f6b0895cb5 100644
+--- a/ipalib/install/certstore.py
++++ b/ipalib/install/certstore.py
+@@ -294,7 +294,7 @@ def get_ca_certs(ldap, base_dn, compat_realm, compat_ipa_ca,
+ 'cACertificate;binary'])
+
+ for entry in result:
+- nickname = entry.single_value['cn']
++ nickname = entry.single_value['cn'].encode('utf-8')
+ trusted = entry.single_value.get('ipaKeyTrust', 'unknown').lower()
+ if trusted == 'trusted':
+ trusted = True
+--
+2.26.3
+
diff --git a/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch b/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch
new file mode 100644
index 0000000..be79963
--- /dev/null
+++ b/SOURCES/0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch
@@ -0,0 +1,37 @@
+From 50c77ddd79c1f469d40ebba3d337e4f88bdabb2f Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 9 Jun 2021 17:51:15 +0200
+Subject: [PATCH] ipatests: use non-ascii chars in CA-less install
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The CA-less installation creates an external CA with the
+subject CN=CA,O=Example Organization.
+In order to test non-ascii subjects, use
+CN=CA,O=Example Organization EspaƱa
+instead.
+
+Related: https://pagure.io/freeipa/issue/8879
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/pytest_ipa/integration/create_caless_pki.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
+index 9a2e8e26b63729517f329bee736a315f9e8f0744..9279fdee9139e6a6050efa07cfa4fe1747afe4db 100644
+--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
++++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
+@@ -550,7 +550,7 @@ def create_pki():
+ x509.NameAttribute(NameOID.COMMON_NAME, server2)
+ ])
+ )
+- ca1 = gen_subtree(u'ca1', u'Example Organization')
++ ca1 = gen_subtree(u'ca1', u'Example Organization Espa\xf1a')
+ gen_subtree(u'subca', u'Subsidiary Example Organization', ca1)
+ gen_subtree(u'ca2', u'Other Example Organization')
+ ca3 = gen_subtree(u'ca3', u'Unknown Organization')
+--
+2.26.3
+
diff --git a/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch b/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch
new file mode 100644
index 0000000..c8a76d1
--- /dev/null
+++ b/SOURCES/0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch
@@ -0,0 +1,36 @@
+From 12124fcb8c908d208d8863c00cf19a511bd54d1c Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 11 Jun 2021 14:00:08 +0200
+Subject: [PATCH] Allow PKINIT to be enabled when updating from a pre-PKINIT
+ IPA CA server
+
+When upgrading from a server with IPA CA before PKINIT was introduced
+(4.5), PKINIT would not be enabled and there wasn't any way to enable it
+since upgrade code only issues self-signed certificates when
+certificates are missing. With these change there is a way to enable
+PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
+before).
+
+Fixes: https://pagure.io/freeipa/issue/8532
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/ipa_pkinit_manage.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
+index 86bd1baf00178a629864b210ca9f4786668149df..bf5875d4f3f35465e6a9ff708d19c25bc3f95063 100644
+--- a/ipaserver/install/ipa_pkinit_manage.py
++++ b/ipaserver/install/ipa_pkinit_manage.py
+@@ -78,6 +78,8 @@ class PKINITManage(AdminTool):
+ krb.enable_ssl()
+
+ if setup_pkinit:
++ if not is_pkinit_enabled():
++ krb.setup_pkinit()
+ krb.pkinit_enable()
+ else:
+ krb.pkinit_disable()
+--
+2.26.3
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 0cb4f84..38faab6 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From cab573c5e2fb5631c9fd77a41ff77103ea51f9b3 Mon Sep 17 00:00:00 2001
+From a93c2ff982b27166206eab66f1b7d6c13eff63ed Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index 6cc1d21..a53c925 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 514a42e4ea723e6630ac24ff3ea68a442137ab52 Mon Sep 17 00:00:00 2001
+From e83c5db6277d24159c869da9463ab2737396cddc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index 8cea203..41c4053 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 90ffaffce2db5467ac6fd773db53373adfff69b4 Mon Sep 17 00:00:00 2001
+From 98045b1cf0c3d18c958c67a585c8745cf0948675 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 27f9930..0964281 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From e4ef3eb243d8e4fe26dee86529f90f8aaa8ab00f Mon Sep 17 00:00:00 2001
+From e4d43beea85e161ac426a5bff8fe10118a72a9a4 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 6da2669..e6a31b2 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 17675289caa161c6574d1afbc813bd91efe71064 Mon Sep 17 00:00:00 2001
+From 47575ded74d9bd4b0691b0e356453629e8d00e49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index d1150d8..d550e00 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -103,7 +103,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 5%{?dist}.6
+Release: 5%{?dist}.7
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -111,9 +111,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -142,6 +142,9 @@ Patch0021: 0021-ipa-kdb-add-missing-prototypes.patch
Patch0022: 0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
Patch0023: 0023-ipa-kdb-mark-test-functions-as-static.patch
Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
+Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch
+Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch
+Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -402,10 +405,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
Requires: system-logos >= 70.7.0
-%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -962,9 +962,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
# with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -988,8 +988,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1010,8 +1009,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif
# with_python3
@@ -1098,11 +1096,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
-%if 0%{?centos} == 0
# RHEL spec file only: START: Replace login-screen-logo.png with a symlink
ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
# RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
%find_lang %{gettext_domain}
@@ -1759,8 +1755,12 @@ fi
%changelog
-* Tue Jun 08 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.6
-- Roll in CentOS Branding
+* Tue Jun 22 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.7
+- Resolves: #1956550 - IPA server installation fails when cert contains non-ASCII character
+ - CA less installation: non ASCII chars in CA subject
+ - ipatests: use non-ascii chars in CA-less install
+- Resolves: #1974328 - Revise PKINIT upgrade code
+ - Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server
* Tue May 11 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.6
- Resolves: #1959349 - Need to bump pki + ds version