diff --git a/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch b/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
new file mode 100644
index 0000000..b4f0431
--- /dev/null
+++ b/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
@@ -0,0 +1,45 @@
+From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
+From: Francisco Trivino <ftrivino@redhat.com>
+Date: Feb 01 2022 07:57:24 +0000
+Subject: Custodia: use a stronger encryption algo when exporting keys
+
+
+The Custodia key export handler is using the default's OpenSSL encryption
+scheme for PKCS#12.
+
+This represents an issue when performing a migration from CentOS Stream 8 (C8S)
+to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
+replica talks to the Custodia server on C8S source server. The later creates an
+encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
+default encryption scheme, which is no longer supported on C9S.
+
+This commit enforces a stronger encryption algorigthm by adding following
+arguments to the Custodia server handler:
+
+-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
+
+The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
+
+Fixes: https://pagure.io/freeipa/issue/9101
+
+Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
+index 4e8eff0..ad36bd0 100644
+--- a/ipaserver/secrets/handlers/pemfile.py
++++ b/ipaserver/secrets/handlers/pemfile.py
+@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
+         '-out', pk12file,
+         '-inkey', args.keyfile,
+         '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
++        '-keypbe', 'AES-256-CBC',
++        '-certpbe', 'AES-256-CBC',
++        '-macalg', 'sha384',
+     ])
+ 
+     with open(pk12file, 'rb') as f:
+
diff --git a/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch b/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
new file mode 100644
index 0000000..b2530eb
--- /dev/null
+++ b/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
@@ -0,0 +1,95 @@
+From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Oct 21 2021 19:58:19 +0000
+Subject: ipa-server-install uninstall: remove tdb files
+
+
+ipa-server-install uninstaller must remove samba *.tdb files
+in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
+The current code calls rm on the relative path filename
+instead of building an absolute path filename,
+resulting in failure to remove the tdb files.
+
+Related: https://pagure.io/freeipa/issue/8687
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index 24e90f3..e034fab 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
+         ipautil.remove_file(self.smb_conf)
+ 
+         # Remove samba's persistent and temporary tdb files
+-        if os.path.isdir(paths.SAMBA_DIR):
+-            tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
+-                         if tdb_file.endswith(".tdb")]
+-            for tdb_file in tdb_files:
+-                ipautil.remove_file(tdb_file)
++        # in /var/lib/samba and /var/lib/samba/private
++        for smbpath in (paths.SAMBA_DIR,
++                        os.path.join(paths.SAMBA_DIR, "private"),
++                        os.path.join(paths.SAMBA_DIR, "lock")):
++            if os.path.isdir(smbpath):
++                tdb_files = [
++                    os.path.join(smbpath, tdb_file)
++                    for tdb_file in os.listdir(smbpath)
++                    if tdb_file.endswith(".tdb")
++                ]
++                for tdb_file in tdb_files:
++                    ipautil.remove_file(tdb_file)
+ 
+         # Remove our keys from samba's keytab
+         self.clean_samba_keytab()
+
+From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Oct 21 2021 19:58:19 +0000
+Subject: ipa-client-samba uninstall: remove tdb files
+
+
+ipa-client-samba uninstaller must remove samba *.tdb files
+in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
+The current code calls rm on the relative path filename
+instead of building an absolute path filename,
+resulting in failure to remove the tdb files.
+
+Fixes: https://pagure.io/freeipa/issue/8687
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
+index fd89e59..222ff31 100755
+--- a/ipaclient/install/ipa_client_samba.py
++++ b/ipaclient/install/ipa_client_samba.py
+@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
+         fstore.restore_file(paths.SMB_CONF)
+ 
+     # Remove samba's persistent and temporary tdb files
+-    tdb_files = [
+-        tdb_file
+-        for tdb_file in os.listdir(paths.SAMBA_DIR)
+-        if tdb_file.endswith(".tdb")
+-    ]
+-    for tdb_file in tdb_files:
+-        ipautil.remove_file(tdb_file)
++    # in /var/lib/samba and /var/lib/samba/private
++    for smbpath in (paths.SAMBA_DIR,
++                    os.path.join(paths.SAMBA_DIR, "private"),
++                    os.path.join(paths.SAMBA_DIR, "lock")):
++        tdb_files = [
++            os.path.join(smbpath, tdb_file)
++            for tdb_file in os.listdir(smbpath)
++            if tdb_file.endswith(".tdb")
++        ]
++        for tdb_file in tdb_files:
++            ipautil.remove_file(tdb_file)
+ 
+     # Remove our keys from samba's keytab
+     if os.path.exists(paths.SAMBA_KEYTAB):
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 5448366..9c7f181 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -191,7 +191,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        10%{?rc_version:.%rc_version}%{?dist}
+Release:        12%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -224,6 +224,8 @@ Patch0010:      0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.pa
 Patch0011:      0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
 Patch0012:      0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
 Patch0013:      0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
+Patch0014:      0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
+Patch0015:      0015-uninstall-remove-tdb-files_rhbz#2065719.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1717,6 +1719,15 @@ fi
 
 
 %changelog
+* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
+- ipa-server-install uninstall: remove tdb files
+- ipa-client-samba uninstall: remove tdb files
+  Resolves: RHBZ#2065719
+
+* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
+- Custodia use a stronger encryption algo when exporting keys
+  Resolves: RHBZ#2062404
+
 * Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
 - Bump realease version due to build issue.
   Related: RHBZ#2021489