From e3234708ac356065641ce1ea4d6460c7fd50c815 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 29 Aug 2022 15:24:23 -0400 Subject: [PATCH] Don't move KRA keys when key backup is disabled The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is set to False. This is the case IPA is configured with HSM support. With an HSM you don't export private keys. Related: https://pagure.io/freeipa/issue/7677 Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/krainstance.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index a280ee014..a600f5049 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -234,7 +234,10 @@ class KRAInstance(DogtagInstance): os.remove(cfg_file) os.remove(admin_p12_file) - shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) + if config.getboolean( + self.subsystem, 'pki_backup_keys', fallback=True + ): + shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) logger.debug("completed creating KRA instance") def __create_kra_agent(self):