[Freeipa-users] FreeIPA dogtag pkinit
Fraser Tweedale
ftweedal at redhat.com
Sun Nov 1 22:43:32 UTC 2015
On Fri, Oct 30, 2015 at 03:02:56PM +0100, Sumit Bose wrote:
> On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote:
> > Hello,
> >
> > I search a way to use pkinit
> > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with
> > FreeIPA (even without dogtag).
> >
> > Can someone give me a howto for this ?
>
> I can follow the steps described in the MIT pkinit instructions from
> above. Besides creating the needed certificates you only have to modify
> krb5.conf on the IPA server and client. The kadmin steps are not needed
> here because pre-authentication is already requeired for all IPA users.
>
> >
> > On the official documentation and the ML archive, I only find some
> > references about the disabled feature because of the dogtag incompatibility.
>
> yes, this was mainly done because there are special requirements on the
> certificates as can been seen from the MIT document, which where hard to
> meet to at the time.
>
> With the latest version of FreeIPA we now have certificate profiles
> which should allow an automatic pkinit setup in future versions of IPA.
> My plan is to check what is needed here during the next weeks.
>
We support the Krb5PrincipalName OtherName SAN already, even in the
default profile**. It must be included in the PKCS #10 CSR (per
instructions at MIT page above) and values are validated by FreeIPA
before passing to Dogtag.
** Key Usage / Extended Key Usage would probably not be appropriate
for user certs, though.
There's a ticket for "CSR templates"[1] to make doing this sort of
thing easier. Eventually I would like to have profiles that don't
need any special info in the CSR but just read data from the
directory.
[1] https://fedorahosted.org/freeipa/ticket/4899
Cheers,
Fraser
> HTH
>
> bye,
> Sumit
>
> >
> > Some links after my search :
> > https://github.com/encukou/freeipa/blob/master/ipalib/plugins/pkinit.py
> > https://www.redhat.com/archives/freeipa-devel/2010-November/msg00348.html
> > https://www.redhat.com/archives/freeipa-devel/2011-January/msg00906.html
> >
> > The only intersting thing I know, it's this doc to create FreeIPA server
> > without Dogtag :
> > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
> >
> > Thanks you in advance for any information on the subject.
> >
> > --
> > Jean Eymerit
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list