1 files changed, 23 insertions, 4 deletions

diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 78ad0dc..354d9de 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -155,6 +155,7 @@ int main(int argc, char *argv[])
 	int prevSecondsToExpiry = (7*24*60*60);
 
 	while (1) {
+		bool newCertDownloaded = false;
 		bool allDownloadsOK = true;
 		TQDateTime now = TQDateTime::currentDateTime();
 		TQDateTime earliestCertExpiry = now.addDays(14);	// Recheck every 7 days regardless of last expiry check results
@@ -174,7 +175,10 @@ int main(int argc, char *argv[])
 					printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@@ -185,7 +189,10 @@ int main(int argc, char *argv[])
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
@@ -196,7 +203,10 @@ int main(int argc, char *argv[])
 					printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
 				}
 				if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+					if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+						newCertDownloaded = true;
+					}
+					else {
 						allDownloadsOK = false;
 					}
 				}
@@ -207,10 +217,19 @@ int main(int argc, char *argv[])
 			else {
 				mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
 				mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
-				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+				if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) == 0) {
+					newCertDownloaded = true;
+				}
+				else {
 					allDownloadsOK = false;
 				}
 			}
+
+			if (newCertDownloaded) {
+				if (LDAPManager::rehashClientPKCSCertificates() != 0) {
+					printf("[WARNING] Unable to rehash client PKCS certificates\n"); fflush(stdout);
+				}
+			}
 		}
 		immediate = false;