freeipa/ipalib/install
Christian Heimes dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00
..
__init__.py install: introduce installer class hierarchy 2016-11-11 12:17:25 +01:00
certmonger.py Ensure that KDC cert has SAN DNS entry 2021-01-29 13:36:41 -05:00
certstore.py Fix ipa-server-upgrade: This entry already exists 2017-08-30 12:47:53 +02:00
dnsforwarders.py Add helpers for resolve1 and nameservers 2020-09-23 16:44:26 +02:00
hostname.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
kinit.py Add PKINIT support to ipa-client-install 2022-11-16 14:32:05 +02:00
service.py pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
sysrestore.py Address legacy pylint issues in sysrestore.py 2020-08-07 16:44:28 -04:00