[Freeipa-users] FreeIPA dogtag pkinit

Fraser Tweedale ftweedal at redhat.com
Sun Nov 1 22:43:32 UTC 2015 

On Fri, Oct 30, 2015 at 03:02:56PM +0100, Sumit Bose wrote:
> On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote:
> > Hello,
> > 
> > I search a way to use pkinit
> > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with
> > FreeIPA (even without dogtag).
> > 
> > Can someone give me a howto for this ?
> 
> I can follow the steps described in the MIT pkinit instructions from
> above. Besides creating the needed certificates you only have to modify
> krb5.conf on the IPA server and client. The kadmin steps are not needed
> here because pre-authentication is already requeired for all IPA users.
> 
> > 
> > On the official documentation and the ML archive, I only find some
> > references about the disabled feature because of the dogtag incompatibility.
> 
> yes, this was mainly done because there are special requirements on the
> certificates as can been seen from the MIT document, which where hard to
> meet to at the time.
> 
> With the latest version of FreeIPA we now have certificate profiles
> which should allow an automatic pkinit setup in future versions of IPA.
> My plan is to check what is needed here during the next weeks.
> 
We support the Krb5PrincipalName OtherName SAN already, even in the
default profile**.  It must be included in the PKCS #10 CSR (per
instructions at MIT page above) and values are validated by FreeIPA
before passing to Dogtag.

** Key Usage / Extended Key Usage would probably not be appropriate
   for user certs, though.

There's a ticket for "CSR templates"[1] to make doing this sort of
thing easier.  Eventually I would like to have profiles that don't
need any special info in the CSR but just read data from the
directory.

[1] https://fedorahosted.org/freeipa/ticket/4899

Cheers,
Fraser

> HTH
> 
> bye,
> Sumit
> 
> > 
> > Some links after my search :
> > https://github.com/encukou/freeipa/blob/master/ipalib/plugins/pkinit.py
> > https://www.redhat.com/archives/freeipa-devel/2010-November/msg00348.html
> > https://www.redhat.com/archives/freeipa-devel/2011-January/msg00906.html
> > 
> > The only intersting thing I know, it's this doc to create FreeIPA server
> > without Dogtag :
> > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
> > 
> > Thanks you in advance for any information on the subject.
> > 
> > -- 
> > Jean Eymerit
> > 
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list