From 6cb4f4bd50fe25f6ad66a4da1cec9dedfb281f12 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 22 Jan 2020 10:22:13 -0500 Subject: [PATCH] ipa-certupdate removes all CA certs from db before adding new ones This will allow for CA certificates to be dropped from the list of certificates. It also allows for the trust flags to be updated when an existing cert is dropped and re-added. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud --- ipaclient/install/ipa_certupdate.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 03105d167..40a9283bd 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -203,7 +203,16 @@ def update_file(filename, certs, mode=0o644): def update_db(path, certs): + """Drop all CA certs from db then add certs from list provided + + This may result in some churn as existing certs are dropped + and re-added but this also provides the ability to change + the trust flags. + """ db = certdb.NSSDatabase(path) + for name, flags in db.list_certs(): + if flags.ca: + db.delete_cert(name) for cert, nickname, trusted, eku in certs: trust_flags = certstore.key_policy_to_trust_flags(trusted, True, eku) try: