ca.certStatusUpdateInterval manages how frequently to update
the certificate status in LDAP (expired, etc).
By default this is not set on the initial master and pkispawn sets
it to 0 on replicas. This can lead to no server running this
task and therefore the status attribute not reflecting the current
state.
On enabling CRL generation remove any value which will cause PKI
to use its default. On disabling set it to 0.
Only one server should run the update status task to prevent
unnecessary replication.
Fixes: https://pagure.io/freeipa/issue/9569
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>