#7885 RFE: wrapper for Dogtag cert-fix command
Opened 2 months ago by ftweedal. Modified 3 days ago

RFE: implement a wrapper for the Dogtag offline renewal tool
(https://pagure.io/dogtagpki/issue/2776) that handles IPA-specific certificates and scenarios.

In particular:

  • Identify IPA-specific certificates that need renewal
  • Run pki-server cert-fix with appropriate arguments
  • Copy IPA-related renewed certificates to correct locations (files, NSSDBs, LDAP)
  • Become the renewal master if "shared" certificates were renewed.


  • 0a54a4c Extract ca_renewal cert update subroutine
  • 4f42ba8 cainstance: add function to determine ca_renewal nickname
  • 01a487e constants: add ca_renewal container
  • a2f9a70 Add ipa-cert-fix tool
  • d0b9507 ipa-cert-fix: add man page
  • e313149 ipa-cert-fix: use customary exit statuses

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1690191

2 months ago

I'm looking to get the Dogtag cert-fix enhancements merged into master and the 10.6 branch, before doing the forward port of ipa-cert-fix to IPA master and ipa-4-7. (A bit hard for folks to test otherwise).

The Dogtag PR for master is here: https://github.com/dogtagpki/pki/pull/182. 10.6 branch will follow merge to master.

10.6 PR here: https://github.com/dogtagpki/pki/pull/181. The forward-port is still blocked on an upstream Dogtag release that contains pki-server cert-fix with required features.

Login to comment on this ticket.