mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
dbebed2e3a
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|---|---|---|
| .. | ||
| gating.yaml | ||
| nightly_latest_389ds.yaml | ||
| nightly_latest_pki.yaml | ||
| nightly_latest_selinux.yaml | ||
| nightly_latest_sssd.yaml | ||
| nightly_latest_testing_selinux.yaml | ||
| nightly_latest_testing.yaml | ||
| nightly_latest.yaml | ||
| nightly_previous.yaml | ||
| nightly_rawhide.yaml | ||
| prci_checker.py | ||
| prci_jobs_spec.yaml | ||
| temp_commit.yaml | ||