2 files changed, 17 insertions, 3 deletions

diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 390a36ae..c1580f1d 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -385,18 +385,31 @@ class self_elt(data_elt):
             if ca_detail.state == "active":
               old_resources = child_cert.cert.get_3779resources()
               new_resources = irdb_resources.intersection(old_resources)
-              if old_resources != new_resources or (old_resources.valid_until < rsn  and irdb_resources.valid_until > now):
+              withdraw = False
+
+              if new_resources.empty():
+                rpki.log.debug("Resources shrank to the null set, revoking and withdrawing child certificate SKI %s" % child_cert.cert.gSKI())
+                child_cert.revoke(publisher = publisher)
+                ca_detail.generate_crl(publisher = publisher)
+                withdraw = True
+
+              elif old_resources != new_resources or (old_resources.valid_until < rsn and irdb_resources.valid_until > now):
                 rpki.log.debug("Need to reissue child certificate SKI %s" % child_cert.cert.gSKI())
                 child_cert.reissue(
                   ca_detail = ca_detail,
                   resources = new_resources,
                   publisher = publisher)
-              if old_resources.valid_until < now:
+
+              elif old_resources.valid_until < now:
                 rpki.log.debug("Child certificate SKI %s has expired: cert.valid_until %s, irdb.valid_until %s"
                                % (child_cert.cert.gSKI(), old_resources.valid_until, irdb_resources.valid_until))
                 child_cert.sql_delete()
-                ca_detail.generate_manifest(publisher = publisher)
+                withdraw = True
+
+              if withdraw:
                 publisher.withdraw(cls = rpki.publication.certificate_elt, uri = child_cert.uri(ca), obj = child_cert.cert, repository = ca.parent().repository())
+                ca_detail.generate_manifest(publisher = publisher)
+
         except (SystemExit, rpki.async.ExitNow):
           raise
         except Exception, e:
diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py
index 380ce798..7350b2d0 100644
--- a/rpkid/rpki/rpki_engine.py
+++ b/rpkid/rpki/rpki_engine.py
@@ -1030,6 +1030,7 @@ class child_cert_obj(rpki.sql.sql_persistent):
         rpki.log.debug("Revoking child_cert %r" % x)
         x.revoke(publisher = publisher)
       ca_detail.generate_crl(publisher = publisher)
+      ca_detail.generate_manifest(publisher = publisher)
 
     child_cert = ca_detail.issue(
       ca          = ca,