freeipa/ipalib
Christian Heimes dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00
..
install Add PKINIT support to ipa-client-install 2022-11-16 14:32:05 +02:00
__init__.py Add a new parameter type, SerialNumber, as a subclass of Str 2022-06-09 08:35:15 +02:00
aci.py De-duplicate ACI attributes and permissions 2020-09-14 09:15:59 +03:00
backend.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
base.py pylint: Skip false-positive invalid-sequence-index 2022-03-11 13:37:08 -05:00
capabilities.py Support AES for KRA archival wrapping 2022-03-16 12:07:01 +02:00
cli.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
config.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
constants.py Add switch for LDAP cache debug output 2022-06-14 15:56:21 +03:00
crud.py ipalib, ipaserver: fix incorrect API.register calls in docstrings 2016-05-25 16:06:26 +02:00
dns.py dnsrecord-mod: allow to modify ttl without passing the record 2019-07-01 09:16:21 +02:00
errors.py rpcserver: fix exception handling for FAST armor failure 2020-10-30 19:06:11 +02:00
facts.py Fall back to old server installation detection when needed 2020-08-18 11:11:26 +02:00
frontend.py pylint: Remove unused __convert_iter 2022-03-11 13:37:08 -05:00
krb_utils.py krb_utils: Simplify get_credentials 2021-06-12 11:19:25 +03:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
messages.py Warn for permissions with read/write/search/compare and no attrs 2022-07-15 16:59:15 +02:00
misc.py plugins: Don't treat keys of api as bytes 2021-06-28 14:16:56 +03:00
output.py Generate same API.txt under Python 2 and 3 2018-02-15 09:41:30 +01:00
parameters.py Add a new parameter type, SerialNumber, as a subclass of Str 2022-06-09 08:35:15 +02:00
pkcs10.py Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
plugable.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
request.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
rpc.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add helpers for resolve1 and nameservers 2020-09-23 16:44:26 +02:00
sysrestore.py pylint: Fix consider-using-dict-items 2022-03-11 13:37:08 -05:00
text.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
util.py ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default 2022-03-17 11:49:57 -04:00
x509.py x509: Replace removed register_interface with subclassing 2022-09-19 14:15:36 -04:00