Set IPA CA for freeipa certificates.

In previous versions (before moving certmonger.py to DBus) it was set and some tools and modules depends on it. For example: ipa-getcert uses this to filter freeipa certificates. https://fedorahosted.org/freeipa/ticket/4618 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: David Kupka <dkupka@redhat.com> 2014-10-14 03:40:43 -0400
committer: Petr Viktorin <pviktori@redhat.com> 2014-10-14 10:55:29 +0200
commit: c8f7cb0163c766aa46a3435dfc9984bf8761f27d (patch)
tree: 40a99832e6da331ffc96b0246268d22aec99b6db
parent: 4cdeacdedfe344e570da99548043a07a6fa24dbe (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index bcfafdaf4..ca8b37392 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -278,7 +278,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     certmonger to run when it renews a certificate. This command must
     reside in /usr/lib/ipa/certmonger to work with SELinux.
 
-    Returns True or False
+    Returns certificate nickname.
     """
     cm = _connect_to_certmonger()
     params = {'TRACK': True}
@@ -288,6 +288,10 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     params['key-nickname'] = nickname
     params['key-database'] = os.path.abspath(secdir)
     params['key-storage'] = 'NSSDB'
+    ca_path = cm.obj_if.find_ca_by_nickname('IPA')
+    if not ca_path:
+        raise RuntimeError('IPA CA not found')
+    params['ca'] = ca_path
     if command:
         params['cert-postsave-command'] = command
     if password_file:
author	David Kupka <dkupka@redhat.com>	2014-10-14 03:40:43 -0400
committer	Petr Viktorin <pviktori@redhat.com>	2014-10-14 10:55:29 +0200
commit	c8f7cb0163c766aa46a3435dfc9984bf8761f27d (patch)
tree	40a99832e6da331ffc96b0246268d22aec99b6db
parent	4cdeacdedfe344e570da99548043a07a6fa24dbe (diff)