Add flag to allow a cert to be re-issued

I don't want a user to accidentally re-issue a certificate so I've
added a new flag, --revoke, to revoke the old cert and load the new one.

1 files changed, 7 insertions, 3 deletions

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 2b1d3ffcc..55b3b70bb 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -234,9 +234,6 @@ class cert_request(VirtualCommand):
 
                 service = api.Command['host_show'](hostname, all=True, raw=True)['result']
                 dn = service['dn']
-            if 'usercertificate' in service:
-                # FIXME, what to do here? Do we revoke the old cert?
-                raise errors.CertificateOperationError(error=_('entry already has a certificate, serial number %s') % get_serial(base64.b64encode(service['usercertificate'][0])))
         except errors.NotFound, e:
             if not add:
                 raise errors.NotFound(reason="The service principal for this request doesn't exist.")
@@ -267,6 +264,13 @@ class cert_request(VirtualCommand):
                     if not hostdn in service.get('managedby', []):
                         raise errors.ACIError(info="Insufficient privilege to create a certificate with subject alt name '%s'." % name)
 
+        if 'usercertificate' in service:
+            serial = get_serial(base64.b64encode(service['usercertificate'][0]))
+            # revoke the certificate and remove it from the service
+            # entry before proceeding
+            api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
+            api.Command['service_mod'](principal, usercertificate=None)
+
         # Request the certificate
         result = self.Backend.ra.request_certificate(csr, **kw)