On Mon, May 29, 2017 at 04:38:57PM +0200, Florence Blanc-Renaud via 
FreeIPA-devel wrote:
>On 05/26/2017 03:55 PM, Martin Babinsky via FreeIPA-devel wrote:
>> Hi List,
>> Me, Alexander, and Pavel discussed the current issues and hurdles related to
>> various configurational aspects of SmartCard Authentication against FreeIPA
>> masters.
>> Based on the inputs gathered during the discussion we have put together a 
>> short
>> Design page draft[1] describing the proposed approach used for configuring:
>>     * PKINIT for server and clients
>>     * OCSP responder in mod_nss
>>     * WebUI smart card login
>> As always feel free to comment and voice your concerns regarding the design 
>> and
>> implementation of the feature.
>> [1] 
>> https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
>Hi Martin,
>thank you for this design, the feature will really ease Smart Card
>One of the pain points is the installation of the CA when the smart card
>certificates are signed by an external CA. I think that ipa-advise should
>also mention that:
>- ipa-cacert-manage install/ipa-certupdate must be run
>- the CA must be added in /etc/pki/nssdb for GDM or ssh cert auth
>FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

That's a very good point I missed, thank you for pointing this out. We can
certainly incorporate these steps into the scripts generated from the advises.

Martin Babinsky
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to