prevent race condition when refreshing role cert

1 files changed, 3 insertions, 3 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index e97409b40ef..fd297c291c2 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -278,17 +278,17 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
                 identity, role, athenzUniqueInstanceId, null, keyPair);
         try (ZtsClient client = createZtsClient()) {
             X509Certificate roleCertificate = client.getRoleCertificate(role, csr);
-            updateRoleKeyManager(role, roleCertificate);
+            updateRoleKeyManager(role, keyPair.getPrivate(), roleCertificate);
             log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString()));
             return roleCertificate;
         }
     }
 
-    private void updateRoleKeyManager(AthenzRole role, X509Certificate certificate) {
+    private void updateRoleKeyManager(AthenzRole role, PrivateKey privateKey, X509Certificate certificate) {
         MutableX509KeyManager keyManager = roleKeyManagerCache.computeIfAbsent(role, r -> new MutableX509KeyManager());
         keyManager.updateKeystore(
                 KeyStoreBuilder.withType(PKCS12)
-                        .withKeyEntry("default", autoReloadingX509KeyManager.getCurrentCertificateWithKey().privateKey(), certificate)
+                        .withKeyEntry("default", privateKey, certificate)
                         .build(),
                 new char[0]);
     }