URL: https://github.com/freeipa/freeipa/pull/1343 Author: frasertweedale Title: #1343: Don't use admin cert during KRA installation Action: opened PR body: """ KRA installation currently imports the admin cert. FreeIPA does not track this cert and it may be expired, causing installation to fail. Do not import the existing admin cert, and discard the new admin cert that gets created during KRA installation. Part of: https://pagure.io/freeipa/issue/7287 ----- How to test: **NOTE** this also requires fix https://github.com/freeipa/freeipa/pull/1334 1. Install ipa master 2. get expiration date from /root/ca-agent.p12: ``` openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes cat ca-agent.pem | openssl x509 -noout -enddate ``` 3. Move date forward to 20 days before ca-agent.p12 expires 4. Wait for certs to be renewed (watch with ``getcert list``). You could ``systemctl restart certmonger`` to hurry it along a bit. 5. After resetting the system time and certificates have been renewed, execute ``pki-server subsystem-cert-update ca sslserver``. You will need give it the ``internal`` password from ``/etc/pki/pki-tomcat/password.conf``. This is needed because of a missing parameter in Dogtag CA's ``CS.cfg``. It will be dealt with as a separate issue (possibly to fix in Dogtag itself). 6. Move system time to AFTER ca-agent.p12 `notAfter` date. 7. ``ipactl restart`` 8. ``ipa-kra-install`` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1343/head:pr1343 git checkout pr1343