On 06/21/2016 01:03 PM, Endi Sukma Dewata wrote:
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Ran the following test:
Steps to reproduce:
1. Install CA and KRA on master:
$ ipa-server-install -U -r EXAMPLE.COM -p Secret123 -a Secret123
$ ipa-kra-install -p Secret123
2. Install CA and KRA on replica:
$ ipa-client-install -U --server server.example.com --domain example.com \
--realm EXAMPLE.COM -p admin -w Secret123
$ echo Secret123 | kinit admin
$ ipa-replica-install -U --setup-ca -p Secret123 -w Secret123
$ ipa-kra-install -p Secret123
Actual result: Success! The KRA installation on replica succeeded!
ACK
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
