[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

Tue, 28 May 2019 12:21:31 -0700 

On Tue, May 28, 2019 at 04:37:25PM -0000, Khurrum Maqb via FreeIPA-users wrote:
> Thanks! 
> 
> So on the IPA server that is listed in the client's /etc/ipa/default file I 
> ran:
> 
> # openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem 
> /var/kerberos/krb5kdc/kdc.crt
> /var/kerberos/krb5kdc/kdc.crt: O = DOMAIN.COM, CN = ipa-server.do.ma.in
> error 18 at 0 depth lookup:self signed certificate
> OK

This should not be self-signed but signed by the IPA CA to make
Smartcard authentication and PKINIT work.

What is the output of

    ipa pkinit-status

and

    ipa-pkinit-manage status

on the servers?

bye,
Sumit

> 
> Is that the command that you had in mind? It looks like it's OK.
> 
> Also as Florence Blanc-Renaud suggested, I ran the `ipa-advise 
> config-server-for-smart-card-auth > config.sh` command and ran it on all the 
> IPA servers with the third-party external CA certs, and they ran 
> successfully. Thanks Florence! I did not see any change after that. The only 
> thing I hadn't done was change the Server-Cert permissions. The kinit command 
> still fails with the DH verification error on the client even though the 
> ticket is issued. 
> 
> I also added a CNAME for the OCSP server listed in the cert and pointed it to 
> a real working IPA server instead of a retired one. 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to