Import CA certs from certificate store to HTTP NSS database on server install.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 56f8a8910..830ea486f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -111,6 +111,7 @@ class HTTPInstance(service.Service):
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up ssl", self.__setup_ssl)
+        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
         if autoconfig:
             self.step("setting up browser autoconfig", self.__setup_autoconfig)
         self.step("publish CA cert", self.__publish_ca_cert)
@@ -315,6 +316,10 @@ class HTTPInstance(service.Service):
         tasks.restore_context(certs.NSS_DIR + "/cert8.db")
         tasks.restore_context(certs.NSS_DIR + "/key3.db")
 
+    def __import_ca_certs(self):
+        db = certs.CertDB(self.realm, subject_base=self.subject_base)
+        self.import_ca_certs(db, api.env.enable_ra)
+
     def __setup_autoconfig(self):
         target_fname = paths.PREFERENCES_HTML
         ipautil.copy_template_file(