2 files changed, 30 insertions, 13 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index bd299f9ba..f068c9d34 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -48,6 +48,7 @@ try:
     from ipapython.dn import DN
     from ipapython.ssh import SSHPublicKey
     from ipalib.rpc import delete_persistent_client_session_data
+    import nss.nss as nss
     import SSSDConfig
     from ConfigParser import RawConfigParser
     from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
@@ -77,10 +78,15 @@ def parse_options():
         if not os.path.isabs(value):
             raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
 
+        initialized = nss.nss_is_initialized()
         try:
             cert = x509.load_certificate_from_file(value)
         except Exception, e:
             raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
+        else:
+            del(cert)
+            if not initialized:
+                nss.nss_shutdown()
 
         parser.values.ca_cert_file = value
 
@@ -1372,6 +1378,8 @@ def get_ca_cert_from_file(url):
     except Exception, e:
         raise errors.FileError(reason =
             u"cannot write certificate file '%s': %s" % (CACERT, e))
+    else:
+        del(cert)
 
 def get_ca_cert_from_http(url, ca_file, warn=True):
     '''
@@ -1478,6 +1486,8 @@ def validate_new_ca_cert(existing_ca_cert, ca_file, ask, override=False):
         root_logger.debug(
                 "Existing CA cert and Retrieved CA cert are identical")
         os.remove(ca_file)
+        del(existing_ca_cert)
+        del(new_ca_cert)
 
 
 def get_ca_cert(fstore, options, server, basedn):
diff --git a/ipalib/x509.py b/ipalib/x509.py
index f8a13577b..4f81fb59a 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -91,18 +91,18 @@ def load_certificate(data, datatype=PEM, dbdir=None):
         data = strip_header(data)
         data = base64.b64decode(data)
 
-    if dbdir is None:
-        if 'in_tree' in api.env:
-            if api.env.in_tree:
-                dbdir = api.env.dot_ipa + os.sep + 'alias'
+    if not nss.nss_is_initialized():
+        if dbdir is None:
+            if 'in_tree' in api.env:
+                if api.env.in_tree:
+                    dbdir = api.env.dot_ipa + os.sep + 'alias'
+                else:
+                    dbdir = "/etc/httpd/alias"
+                nss.nss_init(dbdir)
             else:
-                dbdir = "/etc/httpd/alias"
-            nss.nss_init(dbdir)
+                nss.nss_init_nodb()
         else:
-            nss.nss_init_nodb()
-    else:
-        nss.nss_init(dbdir)
-
+            nss.nss_init(dbdir)
 
     return nss.Certificate(buffer(data))
 
@@ -139,7 +139,9 @@ def get_subject(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.subject
+    subject = nsscert.subject
+    del(nsscert)
+    return subject
 
 def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
@@ -147,14 +149,18 @@ def get_issuer(certificate, datatype=PEM, dbdir=None):
     """
 
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.issuer
+    issuer = nsscert.issuer
+    del(nsscert)
+    return issuer
 
 def get_serial_number(certificate, datatype=PEM, dbdir=None):
     """
     Return the decimal value of the serial number.
     """
     nsscert = load_certificate(certificate, datatype, dbdir)
-    return nsscert.serial_number
+    serial_number = nsscert.serial_number
+    del(nsscert)
+    return serial_number
 
 def make_pem(data):
     """
@@ -230,6 +236,7 @@ def verify_cert_subject(ldap, hostname, dercert):
     nsscert = load_certificate(dercert, datatype=DER)
     subject = str(nsscert.subject)
     issuer = str(nsscert.issuer)
+    del(nsscert)
 
     # Handle both supported forms of issuer, from selfsign and dogtag.
     if (not valid_issuer(issuer)):