Install RA cert during replica promotion

This cert is needed with KRA to be able store and retrieve secrets.

https://fedorahosted.org/freeipa/ticket/5512

Reviewed-By: David Kupka <dkupka@redhat.com>

2 files changed, 8 insertions, 4 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 692cac00f..8378aea47 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1344,12 +1344,8 @@ class CAInstance(DogtagInstance):
         self.step("setting audit signing renewal to 2 years",
                   self.set_audit_renewal)
 
-        self.step("configure certmonger for renewals",
-                  self.configure_certmonger_renewal)
         self.step("configure certificate renewals",
                   self.configure_renewal)
-        self.step("configure RA certificate renewal",
-                  self.configure_agent_renewal)
         self.step("configure Server-Cert certificate renewal",
                   self.track_servercert)
         self.step("Configure HTTP to proxy connections",
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 311f0e577..1d5b528c8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1316,6 +1316,14 @@ def promote(installer):
                                                  installer._ca_enabled)
     custodia.create_replica(config.master_host_name)
 
+    if installer._ca_enabled:
+        CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR)
+
+        CA.configure_certmonger_renewal()
+        CA.configure_agent_renewal()
+        cainstance.export_kra_agent_pem()
+        CA.fix_ra_perms()
+
     krb = install_krb(config,
                       setup_pkinit=not options.no_pkinit,
                       promote=True)