freeipa

Clone
Source Code
GIT

#9271 Support PKINIT with ipa-client-install
Closed: fixed 5 months ago by frenaud. Opened 5 months ago by cheimes.

Closed: fixed
Reopen Issue

Request for enhancement

As an admin, I want to use PKINIT with ipa-client-install so that I can enroll clients with X.509 client certificates. The feature would allow me to register clients with existing host identities like Red Hat subscription manager certificates or other provisioned cert/key pairs.

ipa-client-install requires credentials to authenticate host enrollment. Currently the command supports three ways to authenticate:

  • kinit with principal name + password of a privileged user account
  • kinit with an existing KRB5 keytab
  • OTP enrollment with a one time password

I like to request a forth option that uses PKINIT to acquire a TGT for the host principal. Internally the option would run kinit with cert, key, and trust anchor options like this:

kinit \
    -X X509_user_identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    -X X509_anchors=FILE:/path/to/ipa/ca.crt \
    -X X509_anchors=FILE:/path/to/additional-pem-bundle.pem \
    ...
    host/{hostname}

or provide these options in temp krb5.conf

[realms]
  MY.REALM = {
    pkinit_identities = FILE:/path/to/cert.pem,/path/to/key.pem
    pkinit_anchors = FILE:/path/to/ipa/ca.crt
    pkinit_anchors = FILE:/path/to/additional-pem-bundle.pem
}

The feature is going to need up to three new arguments:

  • --pkinit-identity raw argument for pkinit_identities / X509_user_identity

or

  • --pkinit-cert path to a PEM file containing the certificate
  • --pkinit-key path to a PEM file containing the private key of the certificate

and

  • --pkinit-anchors path to a PEM bundle with trust anchors (has to support multiple bundles, either multiple arguments or a single argument with : as path separator). The certs from --ca-cert-file should be used as anchors, too.

--pkinit-identity option may be preferable. MIT KRB5 also supports PKCS12 files and PKCS11 (smartcard / HSM / TPM) options.

NOTES

  • pkinit_anchors / X509_anchors can be repeated multiple times
  • settings in [libdefaults] are ignored if a realm-specific setting has an option.
  • kinit options takes precedence over krb5.conf options
  • during testing I noticed that clients and KDC must have access to the full cert chain of the client cert as well as the full cert chain of the KDC server cert.
  • PKINIT also needs a certmap rule that maps the host certificate to a host entry.

References

Metadata Update from @cheimes:
- Custom field rhbz adjusted to 2075452
5 months ago

https://github.com/freeipa/freeipa/compare/master...tiran:freeipa:issue9271-pkinit-install is a rough prototype of the feature. It is missing tests and docs update.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6543
5 months ago

Upstream PR 6543 implements the feature + design document as:

$ ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=FILE:/path/to/kdc-ca-bundle.pem

I have some very experimental code that uses the host certificate from Red Hat subscription manager to automate self-enrollment of hosts. TPM 2.0 device identity (IDevID/IAK certificates) attestation may be another use case for the feature.

Metadata Update from @cheimes:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.9
5 months ago

master:

  • dbebed2 Add PKINIT support to ipa-client-install

ipa-4-10:

  • 9d902d3 Add PKINIT support to ipa-client-install

ipa-4-9:

  • 80da53e Add PKINIT support to ipa-client-install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 months ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2075452 (was: 2075452)
5 months ago

Issue linked to bug 2075452

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2143224 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2075452)
5 months ago

Issue linked to bug 2143224

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2143224, https://bugzilla.redhat.com/show_bug.cgi?id=2075452 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2143224)
5 months ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/6543
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=2143224, https://bugzilla.redhat.com/show_bug.cgi?id=2075452
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.