Skip to content

gpo: Fix root cert import when NDES is not available

Seems that I broke this myself 🙈 apologies...

As of 8231eaf8, the NDES feature is no longer required on Windows, as cert auto-enroll can use the certificate from the LDAP request.

However, 157335ee changed the implementation to convert the LDAP certificate to base64 due to it failing to cleanly convert to a string.

Because of insufficient test coverage I missed handling the part where NDES is disabled or not reachable and the LDAP certificate was imported. The call to load_der_x509_certificate now fails with an error because it expects binary data, yet it receives a base64 encoded string.

This should either be wrapped in certificate blocks and imported as PEM, or converted back to binary and imported as DER. For the fix, I've opted for the latter since it's how it used to work before it regressed in 157335ee.


  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by David Mulder

Merge request reports