URL:
https://github.com/freeipa/freeipa/pull/1343
Author: frasertweedale
Title: #1343: Don't use admin cert during KRA installation
Action: opened
PR body:
"""
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of:
https://pagure.io/freeipa/issue/7287
-----
How to test:
**NOTE** this also requires fix
https://github.com/freeipa/freeipa/pull/1334
1. Install ipa master
2. get expiration date from /root/ca-agent.p12:
```
openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes
cat ca-agent.pem | openssl x509 -noout -enddate
```
3. Move date forward to 20 days before ca-agent.p12 expires
4. Wait for certs to be renewed (watch with ``getcert list``).
You could ``systemctl restart certmonger`` to hurry it along a bit.
5. After resetting the system time and certificates have been renewed, execute
``pki-server subsystem-cert-update ca sslserver``. You will need give it the
``internal`` password from ``/etc/pki/pki-tomcat/password.conf``.
This is needed because of a missing parameter in Dogtag CA's ``CS.cfg``.
It will be dealt with as a separate issue (possibly to fix in Dogtag itself).
6. Move system time to AFTER ca-agent.p12 `notAfter` date.
7. ``ipactl restart``
8. ``ipa-kra-install``
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1343/head:pr1343
git checkout pr1343