From ebddde95f4aa4605e5a89e56f291ac39379cfb73 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 9 Sep 2024 12:27:05 +0200
Subject: [PATCH] System: Trust - temporary disable validation of multiple
 certs in a ca, as discussed in
 https://github.com/opnsense/core/commit/76228b0a458b163b59f420abcd2fd15975494793#r146422317
 with @fichtner

---
 src/opnsense/scripts/system/certctl.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/opnsense/scripts/system/certctl.py b/src/opnsense/scripts/system/certctl.py
index ca5fe0eee..cc1ea4854 100755
--- a/src/opnsense/scripts/system/certctl.py
+++ b/src/opnsense/scripts/system/certctl.py
@@ -45,9 +45,10 @@ def get_name_hash_file_pattern(filename):
             x509_item = x509.load_pem_x509_crl(open(filename, 'rb').read())
         elif fext in ['pem', 'cer', 'crt']:
             tmp = x509.load_pem_x509_certificates(open(filename, 'rb').read())
-            if len(tmp) > 1:
-                print('Skipping %s as it does not contain exactly one certificate' % filename)
-                return None
+            # XXX: should be enabled after investigating the ca_root_nss situation
+            # if len(tmp) > 1:
+            #     print('Skipping %s as it does not contain exactly one certificate' % filename)
+            #     return None
             x509_item = tmp[0]
         else:
             # not supported