From 70ec9193404463ad62ee6fe14a033425906e6b13 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 23 Aug 2016 10:39:08 +0200 Subject: [PATCH] custodia: include known CA certs in the PKCS#12 file for Dogtag This fixes CA replica install in a topology upgraded from CA-less to CA-full. https://fedorahosted.org/freeipa/ticket/6207 Reviewed-By: Martin Basti --- ipaserver/install/custodiainstance.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 785f86fc159f2d73184ea5bb3c0303cecde153df..18bd51426cde09af6a34855a49db386a72cc6b9c 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -2,6 +2,7 @@ from ipapython.secrets.kem import IPAKEMKeys from ipapython.secrets.client import CustodiaClient +from ipaserver.install.certs import CertDB from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance @@ -154,6 +155,11 @@ class CustodiaInstance(SimpleServiceInstance): '-i', pk12file, '-w', pk12pwfile]) + # Add CA certificates + tmpdb = CertDB(self.realm, nssdir=tmpnssdir) + self.suffix = ipautil.realm_to_suffix(self.realm) + self.import_ca_certs(tmpdb, True) + # Now that we gathered all certs, re-export ipautil.run([paths.PKCS12EXPORT, '-d', tmpnssdir, -- 2.7.4