There are multiple places in the source where the CA chain is retrieved and installed into a provided NSS database or file. There should be some shared utility in ipapython to handle this rather than spreading it around the code. A quick git grep produces:
$ git grep "for cert, nick" ipaclient/install/client.py: for cert, nickname, trust_flags in ca_certs_trust: ipaclient/install/ipa_certupdate.py: for cert, nickname, tr usted, eku in certs: ipalib/install/certstore.py: for cert, nickname, trusted, ext_k ey_usage in certs: ipaplatform/redhat/tasks.py: for cert, nickname, trusted, _ ext_key_usage in ca_certs: ipaserver/install/server/upgrade.py: for cert, nickname, tr ust_flags in ca_certs: ipaserver/install/service.py: for cert, nickname, trust _flags in ca_certs:
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.8
Login to comment on this ticket.