[Freeipa-users] FreeIPA dogtag pkinit

Sumit Bose sbose at redhat.com
Fri Oct 30 14:02:56 UTC 2015


On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote:
> Hello,
> 
> I search a way to use pkinit
> (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with
> FreeIPA (even without dogtag).
> 
> Can someone give me a howto for this ?

I can follow the steps described in the MIT pkinit instructions from
above. Besides creating the needed certificates you only have to modify
krb5.conf on the IPA server and client. The kadmin steps are not needed
here because pre-authentication is already requeired for all IPA users.

> 
> On the official documentation and the ML archive, I only find some
> references about the disabled feature because of the dogtag incompatibility.

yes, this was mainly done because there are special requirements on the
certificates as can been seen from the MIT document, which where hard to
meet to at the time.

With the latest version of FreeIPA we now have certificate profiles
which should allow an automatic pkinit setup in future versions of IPA.
My plan is to check what is needed here during the next weeks.

HTH

bye,
Sumit

> 
> Some links after my search :
> https://github.com/encukou/freeipa/blob/master/ipalib/plugins/pkinit.py
> https://www.redhat.com/archives/freeipa-devel/2010-November/msg00348.html
> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00906.html
> 
> The only intersting thing I know, it's this doc to create FreeIPA server
> without Dogtag :
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
> 
> Thanks you in advance for any information on the subject.
> 
> -- 
> Jean Eymerit
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




More information about the Freeipa-users mailing list