diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-02-22 18:14:46 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-24 09:22:59 +0100 |
commit | ef9134640795b736731bfbdb6fe0badb3e817552 (patch) | |
tree | 63cb616a9b0e3438f404310ea62b5ea701a7f3be /ipaserver/install/ipa_cacert_manage.py | |
parent | d7efd8a33ab14a561d3af445e62bceb6f2f13fd1 (diff) | |
download | freeipa-ef9134640795b736731bfbdb6fe0badb3e817552.tar.gz freeipa-ef9134640795b736731bfbdb6fe0badb3e817552.tar.xz freeipa-ef9134640795b736731bfbdb6fe0badb3e817552.zip |
cacert install: fix trust chain validation
https://fedorahosted.org/freeipa/ticket/5612
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver/install/ipa_cacert_manage.py')
-rw-r--r-- | ipaserver/install/ipa_cacert_manage.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 2a4e8efc1..de13ad393 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -335,10 +335,17 @@ class CACertManage(admintool.AdminTool): nickname = options.nickname or str(subject) + ca_certs = certstore.get_ca_certs_nss(api.Backend.ldap2, + api.env.basedn, + api.env.realm, + False) + with certs.NSSDatabase() as tmpdb: pw = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmpdb.create_db(pw.name) tmpdb.add_cert(cert, nickname, 'C,,') + for ca_cert, ca_nickname, ca_trust_flags in ca_certs: + tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags) try: tmpdb.verify_ca_cert_validity(nickname) |