From b87d468a5bfc69a0e8390e7484e9bb6d225e404e Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs@debian.org>
Date: Wed, 7 Jan 2015 14:43:04 +0800
Subject: [PATCH] We still have some debian.org certs signed by SPI and
 USERFirst

---
 modules/ssl/manifests/init.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 7c9ffd67b..0ae64aa4e 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -17,7 +17,7 @@ class ssl {
 	}
 	file { '/etc/ca-certificates-debian.conf':
 		mode    => '0444',
-		content => "# This file is under puppet control\n# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README\nmozilla/AddTrust_External_Root.crt\n",
+		content => "# This file is under puppet control\n# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README\nmozilla/AddTrust_External_Root.crt\nmozilla/UTN_USERFirst_Hardware_Root_CA.crt\nspi-inc.org/spi-cacert-2008.crt\n",
 		notify  => Exec['refresh_ca_debian_hashes'],
 	}
 	file { '/etc/ca-certificates-global.conf':
-- 
2.20.1