#9271 Support PKINIT with ipa-client-install
Closed: fixed 5 months ago by frenaud. Opened 5 months ago by cheimes.

Request for enhancement

As an admin, I want to use PKINIT with ipa-client-install so that I can enroll clients with X.509 client certificates. The feature would allow me to register clients with existing host identities like Red Hat subscription manager certificates or other provisioned cert/key pairs.

ipa-client-install requires credentials to authenticate host enrollment. Currently the command supports three ways to authenticate:

  • kinit with principal name + password of a privileged user account
  • kinit with an existing KRB5 keytab
  • OTP enrollment with a one time password

I like to request a forth option that uses PKINIT to acquire a TGT for the host principal. Internally the option would run kinit with cert, key, and trust anchor options like this:

kinit \
    -X X509_user_identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    -X X509_anchors=FILE:/path/to/ipa/ca.crt \
    -X X509_anchors=FILE:/path/to/additional-pem-bundle.pem \

or provide these options in temp krb5.conf

  MY.REALM = {
    pkinit_identities = FILE:/path/to/cert.pem,/path/to/key.pem
    pkinit_anchors = FILE:/path/to/ipa/ca.crt
    pkinit_anchors = FILE:/path/to/additional-pem-bundle.pem

The feature is going to need up to three new arguments:

  • --pkinit-identity raw argument for pkinit_identities / X509_user_identity


  • --pkinit-cert path to a PEM file containing the certificate
  • --pkinit-key path to a PEM file containing the private key of the certificate


  • --pkinit-anchors path to a PEM bundle with trust anchors (has to support multiple bundles, either multiple arguments or a single argument with : as path separator). The certs from --ca-cert-file should be used as anchors, too.

--pkinit-identity option may be preferable. MIT KRB5 also supports PKCS12 files and PKCS11 (smartcard / HSM / TPM) options.


  • pkinit_anchors / X509_anchors can be repeated multiple times
  • settings in [libdefaults] are ignored if a realm-specific setting has an option.
  • kinit options takes precedence over krb5.conf options
  • during testing I noticed that clients and KDC must have access to the full cert chain of the client cert as well as the full cert chain of the KDC server cert.
  • PKINIT also needs a certmap rule that maps the host certificate to a host entry.


Metadata Update from @cheimes:
- Custom field rhbz adjusted to 2075452

5 months ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6543

5 months ago

Upstream PR 6543 implements the feature + design document as:

$ ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \

I have some very experimental code that uses the host certificate from Red Hat subscription manager to automate self-enrollment of hosts. TPM 2.0 device identity (IDevID/IAK certificates) attestation may be another use case for the feature.

Metadata Update from @cheimes:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.9

5 months ago


  • dbebed2 Add PKINIT support to ipa-client-install


  • 9d902d3 Add PKINIT support to ipa-client-install


  • 80da53e Add PKINIT support to ipa-client-install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2075452 (was: 2075452)

5 months ago
5 months ago

Login to comment on this ticket.