From 70ec9193404463ad62ee6fe14a033425906e6b13 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 23 Aug 2016 10:39:08 +0200
Subject: [PATCH] custodia: include known CA certs in the PKCS#12 file for
 Dogtag

This fixes CA replica install in a topology upgraded from CA-less to
CA-full.

https://fedorahosted.org/freeipa/ticket/6207

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/custodiainstance.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 785f86fc159f2d73184ea5bb3c0303cecde153df..18bd51426cde09af6a34855a49db386a72cc6b9c 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -2,6 +2,7 @@
 
 from ipapython.secrets.kem import IPAKEMKeys
 from ipapython.secrets.client import CustodiaClient
+from ipaserver.install.certs import CertDB
 from ipaplatform.paths import paths
 from ipaplatform.constants import constants
 from ipaserver.install.service import SimpleServiceInstance
@@ -154,6 +155,11 @@ class CustodiaInstance(SimpleServiceInstance):
                              '-i', pk12file,
                              '-w', pk12pwfile])
 
+            # Add CA certificates
+            tmpdb = CertDB(self.realm, nssdir=tmpnssdir)
+            self.suffix = ipautil.realm_to_suffix(self.realm)
+            self.import_ca_certs(tmpdb, True)
+
             # Now that we gathered all certs, re-export
             ipautil.run([paths.PKCS12EXPORT,
                          '-d', tmpnssdir,
-- 
2.7.4