On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote: > Hello, > > I search a way to use pkinit > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with > FreeIPA (even without dogtag). > > Can someone give me a howto for this ?
I can follow the steps described in the MIT pkinit instructions from above. Besides creating the needed certificates you only have to modify krb5.conf on the IPA server and client. The kadmin steps are not needed here because pre-authentication is already requeired for all IPA users. > > On the official documentation and the ML archive, I only find some > references about the disabled feature because of the dogtag incompatibility. yes, this was mainly done because there are special requirements on the certificates as can been seen from the MIT document, which where hard to meet to at the time. With the latest version of FreeIPA we now have certificate profiles which should allow an automatic pkinit setup in future versions of IPA. My plan is to check what is needed here during the next weeks. HTH bye, Sumit > > Some links after my search : > https://github.com/encukou/freeipa/blob/master/ipalib/plugins/pkinit.py > https://www.redhat.com/archives/freeipa-devel/2010-November/msg00348.html > https://www.redhat.com/archives/freeipa-devel/2011-January/msg00906.html > > The only intersting thing I know, it's this doc to create FreeIPA server > without Dogtag : > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html > > Thanks you in advance for any information on the subject. > > -- > Jean Eymerit > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project