Upload CA cert in the directory on install

This will later allow clients to securely download the CA cert by
performaing mutual auth using LDAP with GSSAPI

install/share/Makefile.am

@@ -60,7 +60,8 @@ app_DATA =				\
 	automember.ldif			\
 	replica-automember.ldif		\
 	replica-s4u2proxy.ldif		\
-	copy-schema-to-ca.py				\
+	copy-schema-to-ca.py		\
+	upload-cacert.ldif		\
 	$(NULL)
 
 EXTRA_DIST =				\

install/share/upload-cacert.ldif

@@ -0,0 +1,7 @@
+# add CA certificate to LDAP server
+dn: cn=CAcert,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: pkiCA
+cn: CAcert
+cACertificate;binary:: $CADERCERT

ipaserver/install/dsinstance.py

@@ -44,6 +44,7 @@ from ipaserver.install import replication
 from ipalib import util, errors
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
+import base64
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
@@ -261,6 +262,7 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
+        self.step("Upload CA cert to the directory", self.__upload_ca_cert)
 
         self.__common_post_setup()
 
@@ -587,6 +589,19 @@ class DsInstance(service.Service):
         # check for open secure port 636 from now on
         self.open_ports.append(636)
 
+    def __upload_ca_cert(self):
+        """
+        Upload the CA certificate in DER form in the LDAP directory.
+        """
+
+        dirname = config_dirname(self.serverid)
+        certdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
+
+        dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)
+        self.sub_dict['CADERCERT'] = base64.b64encode(dercert)
+
+        self._ldap_mod('upload-cacert.ldif', self.sub_dict)
+
     def __add_default_layout(self):
         self._ldap_mod("bootstrap-template.ldif", self.sub_dict)