From 044c5c833a83a541f97785279acfe8e113035b3d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 17 Jul 2014 11:47:26 +0200
Subject: Enable NSS PKIX certificate path discovery and validation for Dogtag.

Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/cainstance.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ipaserver')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1d1e9a01c..b64588c0f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -457,6 +457,7 @@ class CAInstance(service.Service):
         self.step("stopping certificate server instance to update CS.cfg", self.__stop)
         self.step("disabling nonces", self.__disable_nonce)
         self.step("set up CRL publishing", self.__enable_crl_publish)
+        self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
         self.step("starting certificate server instance", self.__start)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
@@ -807,6 +808,11 @@ class CAInstance(service.Service):
         os.chown(self.dogtag_constants.CS_CFG_PATH,
                  pent.pw_uid, pent.pw_gid)
 
+    def enable_pkix(self):
+        installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH,
+                                   'NSS_ENABLE_PKIX_VERIFY', '1',
+                                   quotes=False, separator='=')
+
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
         (admin_fd, admin_name) = tempfile.mkstemp()
-- 
cgit