For KRA cloning the admin needs to provide a PKCS #12 file containing the existing KRA's certificates. Depending on how the PKCS #12 file is created, the file might include the CA signing certificate, and it might also include the certificate trust flags. During KRA clone installation the PKCS #12 file will be imported into the clone's NSS database.
The problem is if the clone already has a CA subsystem the trust flags in the NSS database will be overwritten by the trust flags in the PKCS #12 file. If the trust flags in the PKCS #12 file was not exported properly from the original KRA, it can cause problems in the clone (e.g. unable to connect to DS).
To fix the problem the tool to import the PKCS #12 file should not overwrite existing certificate and trust flags unless specifically requested.
This would fix the following ticket:
and possibly this ticket as well:
Steps to reproduce:
$ ipa-server-install -U -r EXAMPLE.COM -p Secret123 -a Secret123 $ ipa-kra-install -p Secret123
$ ipa-client-install -U --server server.example.com --domain example.com \ --realm EXAMPLE.COM -p admin -w Secret123 $ echo Secret123 | kinit admin $ ipa-replica-install -U --setup-ca -p Secret123 -w Secret123 $ ipa-kra-install -p Secret123
Actual result: The KRA installation on replica failed.
Expected result: The KRA installation on replica should succeed.
Per discussions with edewata on IRC: 10.3.4
Per PKI Bug Council of 06/23/2016: 10.3.4
no downstream bug is necessary, as this will be tested out by FreeIPA
Fixed in master:
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.3.4
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2494
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.