From 3700a5991c59109353d6d9f41ae79686ac5921e2 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 7 Nov 2023 16:43:59 -0600
Subject: [PATCH] Update PKIDeployer.setup_system_cert()

The PKIDeployer.setup_system_cert() has been modified to
reuse the existing system certs if they already exist in
the NSS database.
---
 base/server/python/pki/server/deployment/__init__.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 905cac5ffd4..698fb2ecff2 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -3141,7 +3141,7 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
 
         # For external/existing CA case, the requests and certs might be provided
         # (i.e. already exists in NSS database), but they still need to be imported
-        # into internal database.
+        # into CA database.
         #
         # A new SSL server cert will always be created separately later.
 
@@ -3241,10 +3241,8 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
         subsystem.update_system_cert(system_cert)
 
         if cert_info:
-            logger.info('Remove existing %s cert from NSS database but keep the key', tag)
-            nssdb.remove_cert(
-                nickname=request.systemCert.nickname,
-                token=request.systemCert.token)
+            logger.info('Reusing existing %s cert in NSS database', tag)
+            return
 
         logger.info('Importing %s cert into NSS database', tag)
         nssdb.add_cert(