On 05/26/2017 03:55 PM, Martin Babinsky via FreeIPA-devel wrote:
Hi List,
Me, Alexander, and Pavel discussed the current issues and hurdles related to
various configurational aspects of SmartCard Authentication against FreeIPA
masters.
Based on the inputs gathered during the discussion we have put together a short
Design page draft[1] describing the proposed approach used for configuring:
* PKINIT for server and clients
* OCSP responder in mod_nss
* WebUI smart card login
As always feel free to comment and voice your concerns regarding the design and
implementation of the feature.
[1] https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
Hi Martin,
thank you for this design, the feature will really ease Smart Card
configuration.
One of the pain points is the installation of the CA when the smart card
certificates are signed by an external CA. I think that ipa-advise
should also mention that:
- ipa-cacert-manage install/ipa-certupdate must be run
- the CA must be added in /etc/pki/nssdb for GDM or ssh cert auth
Thanks,
Flo.
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
