Fix trust flags for audit_signing cert

The audit_signing and ca_signing require special flags to be set in nssdb to render it useful. This patch fixes audit_signing. TODO: When CA renewal is supported, the correct flags must be set for ca_signing Ticket: https://pagure.io/dogtagpki/issue/3066 Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
dogtagpki · Sep 26, 2018 · 8190e6b · 8190e6b
1 parent e6c14a9
commit 8190e6b
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py
@@ -1010,6 +1010,13 @@ def execute(self, argv):
                 subsystem_name, instance_name)
             sys.exit(1)
 
+        # audit and CA certs require special flags set in NSSDB
+        trust_attributes = None
+        if cert_id == 'ca_signing':
+            trust_attributes = 'CT,C,C'
+        elif cert_tag == 'audit_signing':
+            trust_attributes = ',,P'
+
         nssdb = instance.open_nssdb()
 
         try:
@@ -1037,7 +1044,8 @@ def execute(self, argv):
             nssdb.add_cert(
                 nickname=cert['nickname'],
                 token=cert['token'],
-                cert_file=cert_file)
+                cert_file=cert_file,
+                trust_attributes=trust_attributes)
 
             logger.info('Updating CS.cfg with the new certificate')