23.2. Authenticating to an Identity Management Client with a Smart Card

As an Identity Management user with multiple role accounts in the Identity Management server, you can authenticate with your smart card to a desktop client system joined to the Identity Management domain. This enables you to use the client system as the selected role.
For a basic overview of the supported options, see:
For information on configuring the environment to enable the authentication, see:
For information on how to authenticate, see:

23.2.1. Smart Card-based Authentication Options Supported on Identity Management Clients

Users in Identity Management can use the following options when authenticating using a smart card on Identity Management clients.
Local authentication
Local authentication includes authentication using:
  • the text console
  • the graphical console, such as the Gnome Display Manager (GDM)
  • local authentication services, such as su or sudo
Remote authentication with ssh
Certificates on a smart card are stored together with the PIN-protected SSH private key.
Smart card-based authentication using other services, such as FTP, is not supported.

23.2.2. Preparing the Identity Management Client for Smart-card Authentication

As the Identity Management administrator, perform these steps:
  1. On the server, create a shell script to configure the client.
    1. Use the ipa-advise config-client-for-smart-card-auth command, and save its output to a file:
      # ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh
    2. Open the script file, and review its contents.
    3. Add execute permissions to the file using the chmod utility:
      # chmod +x client_smart_card_script.sh
  2. Copy the script to the client, and run it. Add the path to the PEM file with the certificate authority (CA) that signed the smart card certificate:
    # ./client_smart_card_script.sh CA_cert.pem
Additionally, if an external certificate authority (CA) signed the certificate on the smart card, add the smart card CA as a trusted CA:
  1. On the Identity Management server, install the CA certificate:
    # ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem
    # ipa-certupdate
    Repeat ipa-certupdate also on all replicas and clients.
  2. Restart the HTTP server:
    # systemctl restart httpd
    Repeat systemctl restart httpd also on all replicas.


SSSD enables administrators to tune the certificate verification process with the certificate_verification parameter, for example if the Online Certificate Status Protocol (OCSP) servers defined in the certificate are not reachable from the client. For more information, see the sssd.conf(5) man page.

23.2.3. Authenticating on an Identity Management Client with a Smart Card Using the Console Login

To authenticate as an Identity Management user, enter the user name and PIN.
  • When logging in from the command line:
    client login: idm_user
    PIN for PIV Card Holder pin (PIV_II) for user idm_user@idm.example.com:
  • When logging in using the Gnome Desktop Manager (GDM), GDM prompts you for the smart card PIN after you select the required user:
    Entering the smart card PIN in the Gnome Desktop Manager

    Figure 23.3. Entering the smart card PIN in the Gnome Desktop Manager

To authenticate as an Active Directory user, enter the user name in a format that uses the NetBIOS domain name: AD.EXAMPLE.COM\ad_user or ad_user@AD.EXAMPLE.COM.

23.2.4. Authenticating on an Identity Management Client with a Smart Card Using SSH

When using the ssh utility, specify the path to the smart card reader module. For example:
$ ssh -I /usr/lib/libmypkcs11.so -l user@example.com host.example.com
Enter PIN for 'Smart Card':

23.2.5. Additional Resources