IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't move KRA keys when key backup is disabled

Browse Source 
The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.

With an HSM you don't export private keys.

Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden
2022-08-29 15:24:23 -04:00
parent 73d52a6135
commit e3234708ac
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ipaserver/install/krainstance.py
View File

@@ -234,7 +234,10 @@ class KRAInstance(DogtagInstance):
os.remove(cfg_file)
os.remove(admin_p12_file)
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
if config.getboolean(
self.subsystem, 'pki_backup_keys', fallback=True
):
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
logger.debug("completed creating KRA instance")
def __create_kra_agent(self):