freeipa/client/man
Christian Heimes dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00
..
default.conf.5 Add switch for LDAP cache debug output 2022-06-14 15:56:21 +03:00
epn.conf.5 EPN: document missing option msg_subject 2022-04-29 13:56:19 -04:00
ipa-certupdate.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa-client-automount.1 Remove the --no-sssd option from ipa-client-automount 2022-03-18 09:40:37 +01:00
ipa-client-install.1 Add PKINIT support to ipa-client-install 2022-11-16 14:32:05 +02:00
ipa-client-samba.1 man: fix ipa-client-samba.1 typos 2021-02-15 10:04:55 +02:00
ipa-epn.1 man: fix typos in ipa-epn.1 2021-05-18 14:59:10 +02:00
ipa-getkeytab.1 ipa-getkeytab: add option to discover servers using DNS SRV 2021-07-30 08:45:08 -04:00
ipa-join.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa-rmkeytab.1 Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipa.1 ipa man page: format the EXAMPLES section 2022-09-30 15:15:50 +02:00
Makefile.am IPA-EPN: First version. 2020-06-09 08:43:45 +02:00