From b720aa94e9317b857734c08a69fe2dcc0d95bf68 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 17 Jun 2016 15:11:08 +1000
Subject: Update lightweight CA serial after renewal

For CA replicas to pick up renewed lightweight CA signing
certificates, the authoritySerial attribute can be updated with the
new serial number.

Update the renew_ca_cert script, which is executed by Certmonger
after writing a renewed CA certificate to the NSSDB, to update the
authoritySerial attribute if the certificate belongs to a
lightweight CA.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 install/restart_scripts/renew_ca_cert | 1 +
 1 file changed, 1 insertion(+)

(limited to 'install/restart_scripts')

diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index dc0f1117b..186fb34f6 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -78,6 +78,7 @@ def _main():
         ca.update_cert_config(nickname, cert)
         if ca.is_renewal_master():
             cainstance.update_people_entry(cert)
+            cainstance.update_authority_entry(cert)
 
         if nickname == 'auditSigningCert cert-pki-ca':
             # Fix trust on the audit cert
-- 
cgit