renew_ca_cert: set peer trust on the KRA audit certificate

The PKI audit certificates require that trusted peer (P) be set on the certificate. This is done already for the CA audit certificate. Also set this on the KRA audit certificate on renewal. https://pagure.io/freeipa/issue/9353 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-03-15 10:34:15 -04:00
parent 0708f603e2
commit b89aa91977
1 changed files with 4 additions and 1 deletions
--- a/install/restart_scripts/renew_ca_cert.in
+++ b/install/restart_scripts/renew_ca_cert.in
@@ -89,7 +89,10 @@ def _main():
            cainstance.update_people_entry(cert)
            cainstance.update_authority_entry(cert)

-        if nickname == 'auditSigningCert cert-pki-ca':
+        if nickname in (
+            'auditSigningCert cert-pki-ca',
+            'auditSigningCert cert-pki-kra',
+        ):
            # Fix trust on the audit cert
            try:
                db.run_certutil(['-M',