From 08d3dcb1834fc227dcd9d2071fda58e6dc639394 Mon Sep 17 00:00:00 2001

From: Tomas Krizek <tkrizek@redhat.com>

Date: Tue, 13 Sep 2016 10:14:47 +0200

Subject: [PATCH] Keep NSS trust flags of existing certificates

Backup and restore trust flags of existing certificates during CA

installation. This prevents marking a previously trusted certificate

as untrusted, as was the case when CA-less was converted to CA-full

with external CA when using the same certificate.

https://fedorahosted.org/freeipa/ticket/5791

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

 ipaserver/install/cainstance.py | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index 3551887cd8ff8baa5e17f8969c84fb92d7552ef3..6c57aadfcdc2864f8cdc84c16556dce7163737fc 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -832,6 +832,10 @@ class CAInstance(DogtagInstance):

             raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))

     def __import_ca_chain(self):

+        # Backup NSS trust flags of all already existing certificates

+        certdb = certs.CertDB(self.realm)

+        cert_backup_list = certdb.list_certs()

+

         chain = self.__get_ca_chain()

         # If this chain contains multiple certs then certutil will only import

@@ -882,6 +886,10 @@ class CAInstance(DogtagInstance):

                     os.remove(chain_name)

                     subid += 1

+        # Restore NSS trust flags of all previously existing certificates

+        for nick, trust_flags in cert_backup_list:

+            certdb.trust_root_cert(nick, trust_flags)

+

     def __request_ra_certificate(self):

         # Create a noise file for generating our private key

         noise = array.array('B', os.urandom(128))

-- 

2.10.2