Add ipa-cert-fix tool

The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions.  In particular:

- Run cert-fix with arguments particular to the IPA deployment.

- Update IPA RA certificate in the ipara user entry (if renewed).

- Add shared certificates (if renewed) to the ca_renewal LDAP
  container for replication.

- Become the CA renewal master if shared certificates were renewed.
  This ensures other CA replicas, including the previous CA renewal
  master if not the current host, pick up those new certificates
  when Certmonger attempts to renew them.

Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

install/tools/Makefile.am

@@ -29,6 +29,7 @@ dist_noinst_DATA =		\
 	ipa-winsync-migrate.in	\
 	ipa-pkinit-manage.in	\
 	ipa-crlgen-manage.in	\
+	ipa-cert-fix.in		\
 	ipa-custodia.in		\
 	ipa-custodia-check.in	\
 	ipa-httpd-kdcproxy.in	\
@@ -61,6 +62,7 @@ nodist_sbin_SCRIPTS =		\
 	ipa-winsync-migrate	\
 	ipa-pkinit-manage	\
 	ipa-crlgen-manage	\
+	ipa-cert-fix		\
 	$(NULL)
 
 appdir = $(libexecdir)/ipa/

install/tools/ipa-cert-fix.in

@@ -0,0 +1,8 @@
+@PYTHONSHEBANG@
+#
+# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.ipa_cert_fix import IPACertFix
+
+IPACertFix.run_cli()