Michael Rainey (Contractor) wrote: > I recently discovered something that may be a little off in the SSSD > Design Docs > <https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1>. > When using the certutil command shown below to dump the PEM encoded > certificates from the smart card. The output is not the certificate > which is being read by the SSSD daemon. ( I hope the terminology is > correct.) > > * certutil -L -d /etc/pki/nssdb -n 'Certificate Nick-Name' -a | grep > -v -- '----' |tr -d '[\n\r]' > > *When the command is run I am prompted for my pin and after my pin is > entered, what I believe is returned are the private keys on the card.
-L lists certs, not keys, so I'd be very surprised to find it let the private key go. AFAIK the only way to get a private key out of NSS is using pk12util. What does the PEM header say when you don't grep it out? rob > > After conducting some further research and testing, I eventually settled > on the following command to extract the correct public keys. > *pkcs15-tool --read-certificate <ID> | grep -v -- '----' | tr -d > '[\n\r]' > * > > I don't know if this has been noted in the past, but I do feel it is > important to mention in either case. > > *Thanks, > > Michael Rainey* > > On 02/11/2016 02:46 AM, Sumit Bose wrote: >> On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote: >>> Greetings, >>> >>> I'm curious as to how IPA handles smart cards containing multiple >>> certificates. When I follow the steps listed at >>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1 >>> when installing my certificate, I notice the certutil command dumps all >>> installed certificates, and dumps the certificates in a different order >>> depending on which certificate is selected. When the server tries to match >>> a certificate does it compare all certificates as one long continuous >>> string, or does it compare one certificate at a time? I'm curious if this >>> presents a problem for the end-user or has this problem been addressed? >> SSSD looks for valid certificates which have client authentication set >> in the extended key usage. If multiple certificate are found currently >> just the "first" one is used. More option to configure the certificate >> selection are planned for the next release. >> >> If you have a specific selection of certificates on the Smartcards you >> use which currently do not work as expected with SSSD feel free to send >> me a dump of the certificates on the card or a description so that I can >> see what kind of configuration options might be needed to select the >> right one. If you prefer you can send this data to me directly. >> >> HTH >> >> bye, >> Sumit >> >>> -- >>> *Michael Rainey* >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project