URL: https://github.com/freeipa/freeipa/pull/4343 Author: fcami Title: #4343: certstore.get_ca_certs(): order CA certs Action: opened PR body: """ Currently, get_ca_certs() returns a non-ordered list of CA certificates. ipa-certupdate then writes that list to ca.crt. However, ldapsearch and other tools expect the first certificate in ca.crt to be valid. This is not the case if the first cACertificate attribute contains an expired certificate. get_ca_certs() will now insert in front of the list the current certificates, and append the ones which are either not yet valid or not valid anymore, making sure the first certificate in front of the list is current. Fixes: https://pagure.io/freeipa/issue/8223 Signed-off-by: François Cami <fcami(a)redhat.com&gt; """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4343/head:pr4343 git checkout pr4343