[Freeipa-users] smart cards caintaining multiple certificates
Michael Rainey (Contractor)
michael.rainey.ctr at nrlssc.navy.mil
Fri Feb 12 15:33:01 UTC 2016
I recently discovered something that may be a little off in the SSSD
Design Docs
<https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1>.
When using the certutil command shown below to dump the PEM encoded
certificates from the smart card. The output is not the certificate
which is being read by the SSSD daemon. ( I hope the terminology is
correct.)
* certutil -L -d /etc/pki/nssdb -n 'Certificate Nick-Name' -a | grep
-v -- '----' |tr -d '[\n\r]'
*When the command is run I am prompted for my pin and after my pin is
entered, what I believe is returned are the private keys on the card.
After conducting some further research and testing, I eventually settled
on the following command to extract the correct public keys.
*pkcs15-tool --read-certificate <ID> | grep -v -- '----' | tr -d '[\n\r]'
*
I don't know if this has been noted in the past, but I do feel it is
important to mention in either case.
*Thanks,
Michael Rainey*
On 02/11/2016 02:46 AM, Sumit Bose wrote:
> On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote:
>> Greetings,
>>
>> I'm curious as to how IPA handles smart cards containing multiple
>> certificates. When I follow the steps listed at
>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1
>> when installing my certificate, I notice the certutil command dumps all
>> installed certificates, and dumps the certificates in a different order
>> depending on which certificate is selected. When the server tries to match
>> a certificate does it compare all certificates as one long continuous
>> string, or does it compare one certificate at a time? I'm curious if this
>> presents a problem for the end-user or has this problem been addressed?
> SSSD looks for valid certificates which have client authentication set
> in the extended key usage. If multiple certificate are found currently
> just the "first" one is used. More option to configure the certificate
> selection are planned for the next release.
>
> If you have a specific selection of certificates on the Smartcards you
> use which currently do not work as expected with SSSD feel free to send
> me a dump of the certificates on the card or a description so that I can
> see what kind of configuration options might be needed to select the
> right one. If you prefer you can send this data to me directly.
>
> HTH
>
> bye,
> Sumit
>
>> --
>> *Michael Rainey*
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160212/6cde53b4/attachment.htm>
More information about the Freeipa-users
mailing list