diff options
author | Petr Viktorin <pviktori@redhat.com> | 2013-03-14 13:55:51 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-04-02 15:28:50 +0200 |
commit | ac06a28cf96cd8b685129fa370cbd317b2c31e7c (patch) | |
tree | 46561a499fd1af3276e786aaba30a31579696229 | |
parent | 1e86378d491ac2dcb01fb3ac0da720df2bff5873 (diff) | |
download | freeipa-ac06a28cf96cd8b685129fa370cbd317b2c31e7c.tar.gz freeipa-ac06a28cf96cd8b685129fa370cbd317b2c31e7c.tar.xz freeipa-ac06a28cf96cd8b685129fa370cbd317b2c31e7c.zip |
Trust CAs from PKCS#12 files even if they don't have Friendly Names
Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
-rw-r--r-- | ipaserver/install/certs.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 1e718bb38..6d688b351 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -1101,7 +1101,8 @@ class CertDB(object): # We only handle one server cert nickname = server_certs[0][0] - ca_names = self.find_root_cert_from_pkcs12(pkcs12_fname, pkcs12_pwd_fname) + ca_names = [name for name, flags + in self.nssdb.list_certs() if 'u' not in flags] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) |