freeipa

Clone
Source Code
GIT

dbebed2 Add PKINIT support to ipa-client-install

15 files Authored by cheimes a year ago, Committed by abbra a year ago,
raw patch tree parent
15 files changed. 606 lines added. 20 lines removed.
client/man/ipa-client-install.1
file modified
+17 -1
doc/designs/client-install-pkinit.md
file added
+219
doc/designs/index.rst
file modified
+1 -0
ipaclient/install/client.py
file modified
+111 -10
ipaclient/install/ipa_certupdate.py
file modified
+8 -1
ipalib/install/kinit.py
file modified
+46 -0
ipatests/prci_definitions/nightly_latest.yaml
file modified
+12 -0
ipatests/prci_definitions/nightly_latest_pki.yaml
file modified
+14 -0
ipatests/prci_definitions/nightly_latest_selinux.yaml
file modified
+13 -0
ipatests/prci_definitions/nightly_latest_testing.yaml
file modified
+14 -0
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml
file modified
+15 -0
ipatests/prci_definitions/nightly_previous.yaml
file modified
+12 -0
ipatests/prci_definitions/nightly_rawhide.yaml
file modified
+13 -0
ipatests/pytest_ipa/integration/tasks.py
file modified
+11 -8
ipatests/test_integration/test_pkinit_install.py
file added
+100 
    Add PKINIT support to ipa-client-install
    
    The ``ipa-client-install`` command now supports PKINIT for client
    enrollment. Existing X.509 client certificates can be used to
    authenticate a host.
    
    Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
    certificates for PKINIT.
    
    *Requirements*
    
    - The KDC must trust the CA chain of the client certificate.
    - The client must be able to verify the KDC's PKINIT cert.
    - The host entry must exist. This limitation may be removed in the
      future.
    - A certmap rule must match the host certificate and map it to a single
      host entry.
    
    *Example*
    
    ```
    ipa-client-install \
        --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
        --pkinit-anchor=/path/to/kdc-ca-bundle.pem
    ```
    
    Fixes: https://pagure.io/freeipa/issue/9271
    Fixes: https://pagure.io/freeipa/issue/9269
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+17 -1
file added
+219
file modified
+1 -0
file modified
+111 -10
file modified
+8 -1
file modified
+46 -0
file modified
+12 -0
file modified
+14 -0
file modified
+13 -0
file modified
+14 -0
file modified
+15 -0
file modified
+12 -0
file modified
+13 -0
file modified
+11 -8
file added
+100
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.