From ac06a28cf96cd8b685129fa370cbd317b2c31e7c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 14 Mar 2013 13:55:51 +0100
Subject: Trust CAs from PKCS#12 files even if they don't have Friendly Names

Instead of trusting all certificates with friendly names,
now all certs without a "u" flag are trusted as root certs.
---
 ipaserver/install/certs.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 1e718bb3..6d688b35 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -1101,7 +1101,8 @@ class CertDB(object):
         # We only handle one server cert
         nickname = server_certs[0][0]
 
-        ca_names = self.find_root_cert_from_pkcs12(pkcs12_fname, pkcs12_pwd_fname)
+        ca_names = [name for name, flags
+                    in self.nssdb.list_certs() if 'u' not in flags]
         if len(ca_names) == 0:
             raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
 
-- 
cgit