cert renewal: Automatically update KRA agent PEM file

https://fedorahosted.org/freeipa/ticket/5253

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

install/restart_scripts/renew_ra_cert

@@ -29,7 +29,7 @@ import traceback
 
 from ipapython import ipautil
 from ipalib import api
-from ipaserver.install import certs, cainstance
+from ipaserver.install import certs, cainstance, krainstance
 from ipaplatform import services
 from ipaplatform.paths import paths
 
@@ -60,6 +60,16 @@ def _main():
 
             # Load it into dogtag
             cainstance.update_people_entry(dercert)
+
+        kra = krainstance.KRAInstance(api.env.realm)
+        if kra.is_installed():
+            # export ipaCert with private key for client authentication
+            args = ["/usr/bin/pki",
+                    "-d", paths.HTTPD_ALIAS_DIR,
+                    "-C", paths.ALIAS_PWDFILE_TXT,
+                    "client-cert-show", "ipaCert",
+                    "--client-cert", paths.KRA_AGENT_PEM]
+            ipautil.run(args)
     finally:
         shutil.rmtree(tmpdir)