On Fri, Oct 30, 2015 at 03:02:56PM +0100, Sumit Bose wrote: > On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote: > > Hello, > > > > I search a way to use pkinit > > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with > > FreeIPA (even without dogtag). > > > > Can someone give me a howto for this ? > > I can follow the steps described in the MIT pkinit instructions from > above. Besides creating the needed certificates you only have to modify > krb5.conf on the IPA server and client. The kadmin steps are not needed > here because pre-authentication is already requeired for all IPA users. > > > > > On the official documentation and the ML archive, I only find some > > references about the disabled feature because of the dogtag incompatibility. > > yes, this was mainly done because there are special requirements on the > certificates as can been seen from the MIT document, which where hard to > meet to at the time. > > With the latest version of FreeIPA we now have certificate profiles > which should allow an automatic pkinit setup in future versions of IPA. > My plan is to check what is needed here during the next weeks. > We support the Krb5PrincipalName OtherName SAN already, even in the default profile**. It must be included in the PKCS #10 CSR (per instructions at MIT page above) and values are validated by FreeIPA before passing to Dogtag.
** Key Usage / Extended Key Usage would probably not be appropriate for user certs, though. There's a ticket for "CSR templates" to make doing this sort of thing easier. Eventually I would like to have profiles that don't need any special info in the CSR but just read data from the directory.  https://fedorahosted.org/freeipa/ticket/4899 Cheers, Fraser > HTH > > bye, > Sumit > > > > > Some links after my search : > > https://github.com/encukou/freeipa/blob/master/ipalib/plugins/pkinit.py > > https://www.redhat.com/archives/freeipa-devel/2010-November/msg00348.html > > https://www.redhat.com/archives/freeipa-devel/2011-January/msg00906.html > > > > The only intersting thing I know, it's this doc to create FreeIPA server > > without Dogtag : > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html > > > > Thanks you in advance for any information on the subject. > > > > -- > > Jean Eymerit > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project