summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-01-28 15:48:10 -0500
committerRob Crittenden <rcritten@redhat.com>2010-02-03 13:22:03 -0500
commit5760170bb3f7bfbd86be56284a7990e17c9b1bba (patch)
tree244a82cfe97ba51ed71d6e8ad7b76b2a001b08d0 /ipalib
parentf43f6c50c6d6c0f456ef30a9887dd6649ac9b879 (diff)
downloadfreeipa-5760170bb3f7bfbd86be56284a7990e17c9b1bba.tar.gz
freeipa-5760170bb3f7bfbd86be56284a7990e17c9b1bba.tar.xz
freeipa-5760170bb3f7bfbd86be56284a7990e17c9b1bba.zip
Add flag to allow a cert to be re-issued
I don't want a user to accidentally re-issue a certificate so I've added a new flag, --revoke, to revoke the old cert and load the new one.
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/plugins/cert.py10
1 files changed, 7 insertions, 3 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 2b1d3ffcc..55b3b70bb 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -234,9 +234,6 @@ class cert_request(VirtualCommand):
service = api.Command['host_show'](hostname, all=True, raw=True)['result']
dn = service['dn']
- if 'usercertificate' in service:
- # FIXME, what to do here? Do we revoke the old cert?
- raise errors.CertificateOperationError(error=_('entry already has a certificate, serial number %s') % get_serial(base64.b64encode(service['usercertificate'][0])))
except errors.NotFound, e:
if not add:
raise errors.NotFound(reason="The service principal for this request doesn't exist.")
@@ -267,6 +264,13 @@ class cert_request(VirtualCommand):
if not hostdn in service.get('managedby', []):
raise errors.ACIError(info="Insufficient privilege to create a certificate with subject alt name '%s'." % name)
+ if 'usercertificate' in service:
+ serial = get_serial(base64.b64encode(service['usercertificate'][0]))
+ # revoke the certificate and remove it from the service
+ # entry before proceeding
+ api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+ api.Command['service_mod'](principal, usercertificate=None)
+
# Request the certificate
result = self.Backend.ra.request_certificate(csr, **kw)