[Freeipa-users] smart cards caintaining multiple certificates
Sumit Bose
sbose at redhat.com
Thu Feb 11 08:46:15 UTC 2016
On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I'm curious as to how IPA handles smart cards containing multiple
> certificates. When I follow the steps listed at
> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1
> when installing my certificate, I notice the certutil command dumps all
> installed certificates, and dumps the certificates in a different order
> depending on which certificate is selected. When the server tries to match
> a certificate does it compare all certificates as one long continuous
> string, or does it compare one certificate at a time? I'm curious if this
> presents a problem for the end-user or has this problem been addressed?
SSSD looks for valid certificates which have client authentication set
in the extended key usage. If multiple certificate are found currently
just the "first" one is used. More option to configure the certificate
selection are planned for the next release.
If you have a specific selection of certificates on the Smartcards you
use which currently do not work as expected with SSSD feel free to send
me a dump of the certificates on the card or a description so that I can
see what kind of configuration options might be needed to select the
right one. If you prefer you can send this data to me directly.
HTH
bye,
Sumit
> --
> *Michael Rainey*
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list