cacert install: fix trust chain validation

https://fedorahosted.org/freeipa/ticket/5612

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 2a4e8efc1..de13ad393 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -335,10 +335,17 @@ class CACertManage(admintool.AdminTool):
 
         nickname = options.nickname or str(subject)
 
+        ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2,
+                                              api.env.basedn,
+                                              api.env.realm,
+                                              False)
+
         with certs.NSSDatabase() as tmpdb:
             pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
             tmpdb.create_db(pw.name)
             tmpdb.add_cert(cert, nickname, 'C,,')
+            for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
+                tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
 
             try:
                 tmpdb.verify_ca_cert_validity(nickname)