From b89aa919778a048fbb54f0a3426423d23f6c38df Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 16 2024 12:46:32 +0000 Subject: renew_ca_cert: set peer trust on the KRA audit certificate The PKI audit certificates require that trusted peer (P) be set on the certificate. This is done already for the CA audit certificate. Also set this on the KRA audit certificate on renewal. https://pagure.io/freeipa/issue/9353 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in index 6a96453..cd14890 100644 --- a/install/restart_scripts/renew_ca_cert.in +++ b/install/restart_scripts/renew_ca_cert.in @@ -89,7 +89,10 @@ def _main(): cainstance.update_people_entry(cert) cainstance.update_authority_entry(cert) - if nickname == 'auditSigningCert cert-pki-ca': + if nickname in ( + 'auditSigningCert cert-pki-ca', + 'auditSigningCert cert-pki-kra', + ): # Fix trust on the audit cert try: db.run_certutil(['-M',