Add PKINIT support to ipa-client-install

The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipaclient/install/ipa_certupdate.py

@@ -103,7 +103,9 @@ def run_with_args(api):
     else:
         lwcas = []
 
-    if is_ipa_configured():
+    ipa_configured = is_ipa_configured()
+
+    if ipa_configured:
         # look up CA servers before service restarts
         resp = api.Command.server_role_find(
             role_servrole=u'CA server',
@@ -141,6 +143,11 @@ def run_with_args(api):
 
     update_client(certs)
 
+    # update_client() may have updated KDC cert bundle; restart KDC to pick
+    # up changes.
+    if ipa_configured and services.knownservices.krb5kdc.is_running():
+        services.knownservices.krb5kdc.restart()
+
 
 def update_client(certs):
     update_file(paths.IPA_CA_CRT, certs)