mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
dbebed2e3a
The ``ipa-client-install`` command now supports PKINIT for client enrollment. Existing X.509 client certificates can be used to authenticate a host. Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA certificates for PKINIT. *Requirements* - The KDC must trust the CA chain of the client certificate. - The client must be able to verify the KDC's PKINIT cert. - The host entry must exist. This limitation may be removed in the future. - A certmap rule must match the host certificate and map it to a single host entry. *Example* ``` ipa-client-install \ --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \ --pkinit-anchor=/path/to/kdc-ca-bundle.pem ``` Fixes: https://pagure.io/freeipa/issue/9271 Fixes: https://pagure.io/freeipa/issue/9269 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> |
||
---|---|---|
.. | ||
azure | ||
man | ||
prci_definitions | ||
pytest_ipa | ||
test_cmdline | ||
test_custodia | ||
test_install | ||
test_integration | ||
test_ipaclient | ||
test_ipalib | ||
test_ipaplatform | ||
test_ipapython | ||
test_ipaserver | ||
test_ipatests_plugins | ||
test_webui | ||
test_xmlrpc | ||
__init__.py | ||
conftest.py | ||
create_external_ca.py | ||
data.py | ||
i18n.py | ||
ipa-run-tests | ||
ipa-test-config | ||
ipa-test-task | ||
Makefile.am | ||
setup.cfg | ||
setup.py | ||
test_util.py | ||
util.py |