KEYCLOAK-2981 Upload-certificate admin endpoint does not nullify private keys

services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java

@@ -171,7 +171,7 @@ public class ClientAttributeCertificateResource {
      *
      * @param uriInfo
      * @param input
-     * @return
+     * @return information extracted from uploaded certificate - not necessarily the new state of certificate on the server
      * @throws IOException
      */
     @POST
@@ -189,6 +189,7 @@ public class ClientAttributeCertificateResource {
 
         if (info.getCertificate() != null) {
             client.setAttribute(certificateAttribute, info.getCertificate());
+            client.removeAttribute(privateAttribute);
         } else {
             throw new ErrorResponseException("certificate-not-found", "Certificate with given alias not found in the keystore", Response.Status.BAD_REQUEST);
         }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java

@@ -147,8 +147,7 @@ public class CredentialsTest extends AbstractClientTest {
         // Get the certificate - to make sure cert was properly updated, and privateKey is null
         cert = certRsc.getKeyInfo();
         assertEquals("cert properly set", certificate2, cert.getCertificate());
-        // TODO: KEYCLOAK-2981
-        //assertNull("privateKey nullified", cert.getPrivateKey());
+        assertNull("privateKey nullified", cert.getPrivateKey());
 
         // Re-upload the private key
         certRsc.uploadJks(keyCertForm);