URL: https://github.com/freeipa/freeipa/pull/94 Author: tomaskrizek Title: #94: [ipa-4-2] Keep NSS trust flags of existing certificates Action: opened
PR body: """ Backup and restore trust flags of existing certificates during CA installation. This prevents marking a previously trusted certificate as untrusted, as was the case when CA-less was converted to CA-full with external CA when using the same certificate. https://fedorahosted.org/freeipa/ticket/5791 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/94/head:pr94 git checkout pr94
From d09d113f2fe73a86837a8006c234102fa7be05c9 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Tue, 13 Sep 2016 10:14:47 +0200 Subject: [PATCH] Keep NSS trust flags of existing certificates Backup and restore trust flags of existing certificates during CA installation. This prevents marking a previously trusted certificate as untrusted, as was the case when CA-less was converted to CA-full with external CA when using the same certificate. https://fedorahosted.org/freeipa/ticket/5791 --- ipaserver/install/cainstance.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index adbe968..7c8016a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1015,6 +1015,10 @@ def __create_ca_agent_pkcs12(self): os.remove(pwd_name) def __import_ca_chain(self): + # Backup NSS trust flags of all already existing certificates + certdb = certs.CertDB(self.realm) + cert_backup_list = certdb.list_certs() + chain = self.__get_ca_chain() # If this chain contains multiple certs then certutil will only import @@ -1064,6 +1068,10 @@ def __import_ca_chain(self): os.remove(chain_name) subid += 1 + # Restore NSS trust flags of all previously existing certificates + for nick, trust_flags in cert_backup_list: + certdb.trust_root_cert(nick, trust_flags) + def __request_ra_certificate(self): # Create a noise file for generating our private key noise = array.array('B', os.urandom(128))
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code