URL:
https://github.com/freeipa/freeipa/pull/2630
Author: flo-renaud
Title: #2630: PKINIT: fix ipa-pkinit-manage enable|disable
Action: opened
PR body:
"""
## PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT
cert is not re-issued.
The command triggers the request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present, certmonger does not
create a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling certmonger to request a
new cert.
There was also an issue in the is_pkinit_enabled() function: if no tracking request was
found for the PKINIT cert, is_pkinit_enabled() was returning True while it should not.
Fixes
https://pagure.io/freeipa/issue/7200
## ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the expectations: when pkinit
is enabled, the cert is signed by IPA CA and tracked by 'IPA' ca helper, but when
pkinit is disabled, the cert is self-signed and tracked by 'SelfSign' CA helper.
Related to
https://pagure.io/freeipa/issue/7200
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2630/head:pr2630
git checkout pr2630