[Freeipa-users] smart cards caintaining multiple certificates
Rob Crittenden
rcritten at redhat.com
Fri Feb 12 16:04:35 UTC 2016
Michael Rainey (Contractor) wrote:
> I recently discovered something that may be a little off in the SSSD
> Design Docs
> <https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1>.
> When using the certutil command shown below to dump the PEM encoded
> certificates from the smart card. The output is not the certificate
> which is being read by the SSSD daemon. ( I hope the terminology is
> correct.)
>
> * certutil -L -d /etc/pki/nssdb -n 'Certificate Nick-Name' -a | grep
> -v -- '----' |tr -d '[\n\r]'
>
> *When the command is run I am prompted for my pin and after my pin is
> entered, what I believe is returned are the private keys on the card.
-L lists certs, not keys, so I'd be very surprised to find it let the
private key go. AFAIK the only way to get a private key out of NSS is
using pk12util. What does the PEM header say when you don't grep it out?
rob
>
> After conducting some further research and testing, I eventually settled
> on the following command to extract the correct public keys.
> *pkcs15-tool --read-certificate <ID> | grep -v -- '----' | tr -d
> '[\n\r]'
> *
>
> I don't know if this has been noted in the past, but I do feel it is
> important to mention in either case.
>
> *Thanks,
>
> Michael Rainey*
>
> On 02/11/2016 02:46 AM, Sumit Bose wrote:
>> On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote:
>>> Greetings,
>>>
>>> I'm curious as to how IPA handles smart cards containing multiple
>>> certificates. When I follow the steps listed at
>>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1
>>> when installing my certificate, I notice the certutil command dumps all
>>> installed certificates, and dumps the certificates in a different order
>>> depending on which certificate is selected. When the server tries to match
>>> a certificate does it compare all certificates as one long continuous
>>> string, or does it compare one certificate at a time? I'm curious if this
>>> presents a problem for the end-user or has this problem been addressed?
>> SSSD looks for valid certificates which have client authentication set
>> in the extended key usage. If multiple certificate are found currently
>> just the "first" one is used. More option to configure the certificate
>> selection are planned for the next release.
>>
>> If you have a specific selection of certificates on the Smartcards you
>> use which currently do not work as expected with SSSD feel free to send
>> me a dump of the certificates on the card or a description so that I can
>> see what kind of configuration options might be needed to select the
>> right one. If you prefer you can send this data to me directly.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> --
>>> *Michael Rainey*
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>
>
>
More information about the Freeipa-users
mailing list