Don't move KRA keys when key backup is disabled

The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.

With an HSM you don't export private keys.

Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-08-29 15:24:23 -04:00
parent 73d52a6135
commit e3234708ac

View File

@ -234,7 +234,10 @@ class KRAInstance(DogtagInstance):
os.remove(cfg_file)
os.remove(admin_p12_file)
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
if config.getboolean(
self.subsystem, 'pki_backup_keys', fallback=True
):
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
logger.debug("completed creating KRA instance")
def __create_kra_agent(self):