Allow multiple CA certificates in replica info files.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

1 files changed, 15 insertions, 1 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 02f079e63..815f3bf31 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -868,7 +868,21 @@ class CertDB(object):
             raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname)
 
         if ca_file:
-            self.nssdb.import_pem_cert('CA', ',,', ca_file)
+            try:
+                with open(ca_file) as fd:
+                    certs = fd.read()
+            except IOError as e:
+                raise RuntimeError(
+                    "Failed to open %s: %s" % (ca_file, e.strerror))
+            st = 0
+            num = 1
+            while True:
+                try:
+                    cert, st = find_cert_from_txt(certs, st)
+                except RuntimeError:
+                    break
+                self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
+                num += 1
 
         # We only handle one server cert
         nickname = server_certs[0][0]