mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
dbebed2e3a
The ``ipa-client-install`` command now supports PKINIT for client enrollment. Existing X.509 client certificates can be used to authenticate a host. Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA certificates for PKINIT. *Requirements* - The KDC must trust the CA chain of the client certificate. - The client must be able to verify the KDC's PKINIT cert. - The host entry must exist. This limitation may be removed in the future. - A certmap rule must match the host certificate and map it to a single host entry. *Example* ``` ipa-client-install \ --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \ --pkinit-anchor=/path/to/kdc-ca-bundle.pem ``` Fixes: https://pagure.io/freeipa/issue/9271 Fixes: https://pagure.io/freeipa/issue/9269 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> |
||
---|---|---|
.. | ||
man | ||
share | ||
sysconfig | ||
systemd | ||
certbot-dns-ipa.in | ||
config.c | ||
ipa-certupdate.in | ||
ipa-client-automount.in | ||
ipa-client-common.c | ||
ipa-client-common.h | ||
ipa-client-install.in | ||
ipa-client-samba.in | ||
ipa-epn.in | ||
ipa-getkeytab.c | ||
ipa-join.c | ||
ipa-rmkeytab.c | ||
Makefile.am | ||
version.m4.in |