diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/configuration.py')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/configuration.py | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 79b66757a..f93a24723 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -157,18 +157,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64') subsystem.config['ca.signing.certreq'] = signing_csr - # If specified, import external CA cert into NSS database. - external_ca_cert_chain_nickname = \ - deployer.mdict['pki_external_ca_cert_chain_nickname'] - external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] - if external_ca_cert_chain_file: - cert_chain, _nicks = nssdb.import_cert_chain( - nickname=external_ca_cert_chain_nickname, - cert_chain_file=external_ca_cert_chain_file, - trust_attributes='CT,C,C') - subsystem.config['ca.external_ca_chain.cert'] = cert_chain - # If specified, import externally-signed CA cert into NSS database. + # Note: CA cert must be imported before the cert chain to ensure that + # the CA cert is imported with the correct nickname. signing_nickname = deployer.mdict['pki_ca_signing_nickname'] signing_cert_file = deployer.mdict['pki_external_ca_cert_path'] if signing_cert_file: @@ -183,6 +174,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] nssdb.import_pkcs12(pkcs12_file, pkcs12_password) + # If specified, import cert chain into NSS database. + external_ca_cert_chain_nickname = \ + deployer.mdict['pki_external_ca_cert_chain_nickname'] + external_ca_cert_chain_file = deployer.mdict['pki_external_ca_cert_chain_path'] + if external_ca_cert_chain_file: + cert_chain, _nicks = nssdb.import_cert_chain( + nickname=external_ca_cert_chain_nickname, + cert_chain_file=external_ca_cert_chain_file, + trust_attributes='CT,C,C') + subsystem.config['ca.external_ca_chain.cert'] = cert_chain + # Export CA cert from NSS database and import it into CS.cfg. signing_cert_data = nssdb.get_cert( nickname=signing_nickname, |