Import CA certs from certificate store to DS NSS database on replica install.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

1 files changed, 16 insertions, 1 deletions

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 9e4ea3700..585c903bd 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -27,7 +27,7 @@ import datetime
 from ipapython import sysrestore, ipautil, dogtag, ipaldap
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
-from ipalib import errors
+from ipalib import errors, certstore
 from ipaplatform import services
 from ipaplatform.paths import paths
 
@@ -269,6 +269,21 @@ class Service(object):
         except Exception, e:
             root_logger.critical("Could not add certificate to service %s entry: %s" % (self.principal, str(e)))
 
+    def import_ca_certs(self, db, ca_is_configured, conn=None):
+        if conn is None:
+            if not self.admin_conn:
+                self.ldap_connect()
+            conn = self.admin_conn
+
+        try:
+            ca_certs = certstore.get_ca_certs_nss(
+                conn, self.suffix, self.realm, ca_is_configured)
+        except errors.NotFound:
+            pass
+        else:
+            for cert, nickname, trust_flags in ca_certs:
+                db.add_cert(cert, nickname, trust_flags)
+
     def is_configured(self):
         return self.sstore.has_state(self.service_name)