From cc572378a69a7e4d18b7297b7fa54e2fe8e33b2f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: May 19 2017 10:31:24 +0000 Subject: certs: do not export CA certs in install_pem_from_p12 This fixes `kdc.crt` containing the full chain rather than just the KDC certificate in CA-less server install. https://pagure.io/freeipa/issue/6831 https://pagure.io/freeipa/issue/6869 Reviewed-By: Stanislav Laznicka Reviewed-By: Martin Babinsky --- diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 06a7e21..02c479d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -64,7 +64,7 @@ def get_cert_nickname(cert): def install_pem_from_p12(p12_fname, p12_passwd, pem_fname): pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", + ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", "-clcerts", "-in", p12_fname, "-out", pem_fname, "-passin", "file:" + pwd.name])