From 5760170bb3f7bfbd86be56284a7990e17c9b1bba Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 28 Jan 2010 15:48:10 -0500 Subject: Add flag to allow a cert to be re-issued I don't want a user to accidentally re-issue a certificate so I've added a new flag, --revoke, to revoke the old cert and load the new one. --- ipalib/plugins/cert.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'ipalib/plugins/cert.py') diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 2b1d3ffc..55b3b70b 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -234,9 +234,6 @@ class cert_request(VirtualCommand): service = api.Command['host_show'](hostname, all=True, raw=True)['result'] dn = service['dn'] - if 'usercertificate' in service: - # FIXME, what to do here? Do we revoke the old cert? - raise errors.CertificateOperationError(error=_('entry already has a certificate, serial number %s') % get_serial(base64.b64encode(service['usercertificate'][0]))) except errors.NotFound, e: if not add: raise errors.NotFound(reason="The service principal for this request doesn't exist.") @@ -267,6 +264,13 @@ class cert_request(VirtualCommand): if not hostdn in service.get('managedby', []): raise errors.ACIError(info="Insufficient privilege to create a certificate with subject alt name '%s'." % name) + if 'usercertificate' in service: + serial = get_serial(base64.b64encode(service['usercertificate'][0])) + # revoke the certificate and remove it from the service + # entry before proceeding + api.Command['cert_revoke'](unicode(serial), revocation_reason=4) + api.Command['service_mod'](principal, usercertificate=None) + # Request the certificate result = self.Backend.ra.request_certificate(csr, **kw) -- cgit