Upload CA cert in the directory on install

This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI

1 files changed, 15 insertions, 0 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 966eeed5..76ef6872 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -44,6 +44,7 @@ from ipaserver.install import replication
 from ipalib import util, errors
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
+import base64
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -261,6 +262,7 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
+        self.step("Upload CA cert to the directory", self.__upload_ca_cert)
 
         self.__common_post_setup()
 
@@ -587,6 +589,19 @@ class DsInstance(service.Service):
         # check for open secure port 636 from now on
         self.open_ports.append(636)
 
+    def __upload_ca_cert(self):
+        """
+        Upload the CA certificate in DER form in the LDAP directory.
+        """
+
+        dirname = config_dirname(self.serverid)
+        certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
+
+        dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)
+        self.sub_dict['CADERCERT'] = base64.b64encode(dercert)
+
+        self._ldap_mod('upload-cacert.ldif', self.sub_dict)
+
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)