#4238 [RFE] Provide ability to map CAC identity certificates to users in IdM
Closed: Fixed None by mkosek. Opened 4 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1072383

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Provide the ability to map identity certificates from smart-cards to user entries in FreeIPA to improve the centralized authentication
functionality of the product.

The idea is to utilize IdM as the centralized authentication repository for users through card + pin instead of username + password.

How would it work:

  • Configure a desktop to authenticate using smart cards with pam_pkcs11 or sssd Smart Card support (upstream ticket)
  • Point authentication to FreeIPA
  • Use cert+pin to identify the user and have the user get all the appropriate resources assigned to them via IdM such as sudoers, automount, etc...

Moving to FreeIPA 4.1 where we will re-evaluate this RFE.


  • 7f7c247 Support multiple host and service certificates


  • b6924c0 Fix: regression in host and service plugin
  • 62e9867 Fix certificate management with service-mod


  • 93dab56 baseldap: add support for API commands managing only a single attribute
  • 53b11b6 reworked certificate normalization and revocation
  • 76eea85 new commands to manage user/host/service certificates

Web UI was mostly implemented in tickets #5046 and #5045. Web UI support for {user|service|host}_{add|remove}_cert commands, implemented in 76eea85, is still missing (#5108)

Nathan Kinder just started very promising blog series about Smart Cards and this feature:

Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2

2 years ago

Login to comment on this ticket.