CA admin certificate is required for KRA install, which won't work if the certificate is expired.
KRA install should be modify to use the old method which added the KRA agent directly by using ldapi.
From relevant mail discussion:
To automatically renew the cert, it should be enough to: 1. after CA install, import ca-agent.p12 file into a private NSS database and remove it 2. track the certificate in the private NSS database with certmonger When the cert/private key is needed somewhere, it can be exported to a temporary file.
In IRC discussion it was decided to revert to use the old code that added the kra agent directly - therefore changing the title and description.
In the future PKI will provide tools to add the KRA agent user and configure the cert mapping via LDAPI (https://fedorahosted.org/pki/ticket/1574) and IPA should use that instead.
freeipa-edewata-0377-Using-LDAPI-to-setup-CA-and-KRA-agents.patch freeipa-edewata-0377-Using-LDAPI-to-setup-CA-and-KRA-agents.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1258964
master:
ipa-4-2:
Metadata Update from @jcholast: - Issue assigned to edewata - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.