URL: https://github.com/freeipa/freeipa/pull/2630 Author: flo-renaud Title: #2630: PKINIT: fix ipa-pkinit-manage enable|disable Action: opened PR body: """ ## PKINIT: fix ipa-pkinit-manage enable|disable The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept. The fix consists in deleting the cert and key file before calling certmonger to request a new cert. There was also an issue in the is_pkinit_enabled() function: if no tracking request was found for the PKINIT cert, is_pkinit_enabled() was returning True while it should not. Fixes https://pagure.io/freeipa/issue/7200 ## ipatest: add test for ipa-pkinit-manage enable|disable Add a test for ipa-pkinit-manage with the following scenario: - install master with option --no-pkinit - call ipa-pkinit-manage enable - call ipa-pkinit-manage disable - call ipa-pkinit-manage enable At each step, check that the PKINIT cert is consistent with the expectations: when pkinit is enabled, the cert is signed by IPA CA and tracked by 'IPA' ca helper, but when pkinit is disabled, the cert is self-signed and tracked by 'SelfSign' CA helper. Related to https://pagure.io/freeipa/issue/7200 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2630/head:pr2630 git checkout pr2630