From 3ee73ed6d739a9d89dadd78f37388e8cfdba143b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 18 Apr 2017 17:17:48 +0200
Subject: [PATCH] ext. CA: correctly write the cert chain

The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.

https://pagure.io/freeipa/issue/6872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ac5d9e2fc633c5ad732670245b72bee0f03268a6..e2070e39f7e162fcff6e1f8cca41218e440b5f58 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -783,9 +783,10 @@ class CAInstance(DogtagInstance):
         certlist = x509.pkcs7_to_pems(data, x509.DER)
 
         # We have all the certificates in certlist, write them to a PEM file
-        for cert in certlist:
-            with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
+        with open(paths.IPA_CA_CRT, 'w') as ipaca_pem:
+            for cert in certlist:
                 ipaca_pem.write(cert)
+                ipaca_pem.write('\n')
 
     def __request_ra_certificate(self):
         # create a temp file storing the pwd
-- 
2.12.2