Previously, the certmonger service could access a Network Security Services (NSS) database without a password, despite being configured to use a password to access that database. This behavior was not recognized as an error. This update correctly diagnoses this inconsistency as an error.

Previously, if the certmonger service could not generate a key pair in an NSS database because it did not have the password that was required for accessing the database, the certmonger service did not recover when it was subsequently given the correct password. This update handles this case correctly.

Previously, the certmonger service did not correctly diagnose a missing token if the name of the token to use was specified when the service was instructed to generate a key pair for storage in an NSS database. This update corrects this error.

Previously, the certmonger service encountered an assertion failure if the D-Bus message bus service was not already running when certmonger was started. This update modifies the certmonger service so that no more assertion problems occur in such a situation.

Previously, when the getcert command needed to report an error message which it received from the certmonger service, it exited unexpectedly due to a logic error. This update corrects the logic so that the error message is correctly reported.

Previously, the certmonger service was not fully compatible with newer versions of the xmlrpc-c and libcurl packages. As a result, credentials could not be delegated when using GSSAPI authentication with a CA that was accessed via XML-RPC. This update includes the necessary changes to continue to be able to delegate credentials when using GSSAPI authentication with a CA that is accessed using XML-RPC, such as IPA.

Previously, when the getcert request command was given a location for key or certificate storage using a relative path, and the location did not exist, the error was only reported after multiple warnings during which the command attempted to convert the relative path to an absolute path. This update suppresses these warnings.

Previously, an incorrect error message was displayed if the getcert resubmit command was invoked with the -i flag to specify which request should be resubmitted to a CA but no request that matched the provided value was present. This update displays the correct error message.

Due to a logic error, attempts to save a newly-obtained certificate to an NSS database could fail intermittently. This update corrects the error.

Previously, the getcert list command only printed information about every certificate and enrollment request being managed by certmonger, and there was no way to narrow down the results. This update includes an updated version of the command which can narrow the result set if the invoking user provides information about the location of the certificate or key in which the user is interested

This update now includes an HTTP "Referer:" header value when submitting requests to CAs which are accessed using XML-RPC, as is expected to be required by future releases of the IPA CA.

When submitting a signing request to a Red Hat IPA (Identity, Policy, Audit) CA, certmonger is expected to authenticate using the client's host credentials, and to delegate the client's credentials to the server. Recent updates to libraries on which certmonger depends changed delegation of client credentials from a mandatory operation to an optional operation that is no longer enabled by default, which effectively broke certmonger's support for IPA CAs. This update gives certmonger the ability to explicitly request credential delegation when used with newer versions of these libraries, which introduce an API that allows certmonger to explicitly request that credential delegation be performed.