The CA and KRA audit certificates require the trusted peer (P) flag set. This is done for the CA but not for the KRA. It is a simple change to also include "auditSigningCert cert-pki-kra" in the nickname check.
In some cases certmonger may preserve the trust flags on renewal but for the case of storing certificates in tokens the trust is not set in the HSM token so there is nothing to restore.
Included in the overall HSM PR https://github.com/freeipa/freeipa/pull/6714
Metadata Update from @rcritten: - Issue tagged with: hsm
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.