Chapter 39. Configuring certificates issued by ADCS for smart card authentication in IdM
This scenario describes the following situation:
- Your deployment is based on cross-forest trust between Identity Management (IdM) and Active Directory (AD).
- You want to allow smart card authentication for users whose accounts are stored in AD.
- Certificates are created and stored in Active Directory Certificate Services (ADCS).
Configuration will be accomplished in the following steps:
- Copying CA and user certificates from Active Directory to the IdM server and client
- Configuring the IdM server and clients for smart card authentication using ADCS certificates
- Converting a PFX (PKCS#12) file to be able to store the certificate and private key into the smart card
- Configuring timeouts in the sssd.conf file
- Creating certificate mapping rules for smart card authentication
Identity Management (IdM) and Active Directory (AD) trust is installed
For details, see Installing trust between IdM and AD.
- Active Directory Certificate Services (ADCS) is installed and certificates for users are generated
39.1. Smart card authentication
A smart card is a physical device which can provide personal authentication using certificates stored on the card. Personal authentication means that you can use smart cards in the same way as user passwords.
You can store user credentials on the smart card in the form of a private key and a certificate, and special software and hardware is used to access them. You place the smart card into a reader or a USB socket and supply the PIN code for the smart card instead of providing your password.
You can configure how you want smart card authentication to work in a particular IdM client:
- Users can authenticate with the user name and password or with their smart cards
- Users can authenticate with their smart cards, and passwords are not allowed
- Users can use the smart card for logout with a function lock on removal, and passwords are not allowed
Identity Management (IdM) supports smart card authentication with:
- User certificates issued by the IdM certificate authority. For details, see Configuring Identity Management for smart card authentication.
- User certificates issued by the ADCS certificate authority. For details, see Configuring certificates issued by ADCS for smart card authentication in IdM.
- User certificates issued by local certification authority generated on a RHEL system. For details, see Configuring and importing local certificates to a smart card.
- User certificates issued by an external certificate authority.
If you want to start to use smart card authentication, see the hardware requirements: Smart Card support in RHEL8.
39.2. Windows Server settings required for trust configuration and certificate usage
This section summarizes what must be configured on Windows Server:
- Active Directory Certificate Services (ADCS) is installed
- Certificate Authority is created
- [Optional] If you are using Certificate Authority Web Enrollment, the Internet Information Services (IIS) must be configured
Export the certificate:
Key must have
2048bits or more
- Include a private key
You will need a certificate in the following format: Personal Information Exchange —
- Enable certificate privacy
39.3. Copying certificates from Active Directory using sftp
To be able to use smart card authetication, you need to copy the following certificate files:
A root CA certificate in the
adcs-winserver-ca.ceron your IdM server.
A user certificate with a private key in the
aduser1.pfxon an IdM client.
This procedure expects SSH access is allowed. If SSH is unavailable the user must copy the file from the AD Server to the IdM server and client.
Connect from the IdM server and copy the
adcs-winserver-ca.cerroot certificate to the IdM server:
root@idmserver ~]# sftp Administrator@winserver.ad.example.com Administrator@winserver.ad.example.com's password: Connected to Administrator@winserver.ad.example.com. sftp> cd <Path to certificates> sftp> ls adcs-winserver-ca.cer aduser1.pfx sftp> sftp> get adcs-winserver-ca.cer Fetching <Path to certificates>/adcs-winserver-ca.cer to adcs-winserver-ca.cer <Path to certificates>/adcs-winserver-ca.cer 100% 1254 15KB/s 00:00 sftp quit
Connect from the IdM client and copy the
aduser1.pfxuser certificate to the client:
[root@client1 ~]# sftp Administrator@winserver.ad.example.com Administrator@winserver.ad.example.com's password: Connected to Administrator@winserver.ad.example.com. sftp> cd /<Path to certificates> sftp> get aduser1.pfx Fetching <Path to certificates>/aduser1.pfx to aduser1.pfx <Path to certificates>/aduser1.pfx 100% 1254 15KB/s 00:00 sftp quit
Now the CA certificate is stored in the IdM server and the user certificates is stored on the client machine.
39.4. Configuring the IdM server and clients for smart card authentication using ADCS certificates
You must configure the IdM (Identity Management) server and clients to be able to use smart card authentication in the IdM environment. IdM includes the
ipa-advise scripts which makes all necessary changes:
- install necessary packages
- it configures IdM server and clients
- copy the CA certificates into expected locations
You can run
ipa-advise on your IdM server.
This procedure describes:
On an IdM server: Preparing the
ipa-advisescript to configure your IdM server for smart card authentication.
On an IdM server: Preparing the
ipa-advisescript to configure your IdM client for smart card authentication.
On an IdM server: Applying the the
ipa-adviseserver script on the IdM server using the AD certificate.
- Moving the client script to the IdM client machine.
On an IdM client: Applying the the
ipa-adviseclient script on the IdM client using the AD certificate.
- The certificate has been copied to the IdM server.
- Obtain the Kerberos ticket.
- Log in as a user with administration rights.
On the IdM server, use the
ipa-advisescript for configuring a client:
[root@idmserver ~]# ipa-advise config-client-for-smart-card-auth > sc_client.sh
On the IdM server, use the
ipa-advisescript for configuring a server:
[root@idmserver ~]# ipa-advise config-server-for-smart-card-auth > sc_server.sh
On the IdM server, execute the script:
[root@idmserver ~]# sh -x sc_server.sh adcs-winserver-ca.cer
- It configures the IdM Apache HTTP Server.
- It enables Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) on the Key Distribution Center (KDC).
- It configures the IdM Web UI to accept smart card authorization requests.
sc_client.shscript to the client system:
[root@idmserver ~]# scp sc_client.sh email@example.com:/root Password: sc_client.sh 100% 2857 1.6MB/s 00:00
Copy the Windows certificate to the client system:
[root@idmserver ~]# scp adcs-winserver-ca.cer firstname.lastname@example.org:/root Password: adcs-winserver-ca.cer 100% 1254 952.0KB/s 00:00
On the client system, run the client script:
[root@idmclient1 ~]# sh -x sc_client.sh adcs-winserver-ca.cer
The CA certificate is installed in the correct format on the IdM server and client systems and next step is to copy the user certificates onto the smart card itself.
39.5. Converting the PFX file
Before you store the PFX (PKCS#12) file into the smart card, you must:
- convert the file to the PEM format
- extract the private key and the certificate to two different files
- The PFX file is copied into the IdM client machine.
On the IdM client, into the PEM format:
[root@idmclient1 ~]# openssl pkcs12 -in aduser1.pfx -out aduser1_cert_only.pem -clcerts -nodes Enter Import Password:
Extract the key into the separate file:
[root@idmclient1 ~]# openssl pkcs12 -in adduser1.pfx -nocerts -out adduser1.pem > aduser1.key
Extract the public certificate into the separate file:
[root@idmclient1 ~]# openssl pkcs12 -in adduser1.pfx -clcerts -nokeys -out aduser1_cert_only.pem > aduser1.crt
At this point, you can store the
aduser1.crt into the smart card.
39.6. Installing tools for managing and using smart cards
To configure your smart card, you need tools which can generate certificates and store them on a smart card.
gnutls-utilspackage which helps you to manage certificates.
openscpackage which provides a set of libraries and utilities to work with smart cards.
pcscdservice which communicates with the smart card reader.
# dnf -y install opensc gnutls-utils
# systemctl start pcscd
Verify that the
pcscd service is up and running.
39.7. Storing a certificate on a smart card
This section describes smart card configuration with the
pkcs15-init tool, which helps you to configure:
- Erasing your smart card
- Setting new PINs and optional PIN Unblocking Keys (PUKs)
- Creating a new slot on the smart card
- Storing the certificate, private key, and public key in the slot
- Locking the smart card settings (some smart cards require this type of finalization)
openscpackage, which includes the
pkcs15-inittool is installed.
For details, see Installing tools for managing and using smart cards.
- The card is inserted in the reader and connected to the computer.
You have the private key, public key, and certificate to store on the smart card. In this procedure,
testuser.crtare the names used for the private key, public key, and the certificate.
- Your current smart card user PIN and Security Officer PIN (SO-PIN)
Erase your smart card and authenticate yourself with your PIN:
$ pkcs15-init --erase-card --use-default-transport-keys Using reader with a card: Reader name PIN [Security Officer PIN] required. Please enter PIN [Security Officer PIN]:
The card has been erased.
Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:
$ pkcs15-init --create-pkcs15 --use-default-transport-keys \ --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123 Using reader with a card: Reader name
pcks15-inittool creates a new slot on the smart card.
Set the label and the authentication ID for the slot:
$ pkcs15-init --store-pin --label testuser \ --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478 Using reader with a card: Reader name
The label is set to a human-readable value, in this case,
auth-idmust be two hexadecimal values, in this case it is set to
Store and label the private key in the new slot on the smart card:
$ pkcs15-init --store-private-key testuser.key --label testuser_key \ --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader nameNote
The value you specify for
--idmust be the same when storing your private key, and certificate. If you do not specify a value for
--id, a more complicated value is calculated by the tool and it is therefore easier to define your own value.
Store and label the certificate in the new slot on the smart card:
$ pkcs15-init --store-certificate testuser.crt --label testuser_crt \ --auth-id 01 --id 01 --format pem --pin 963214 Using reader with a card: Reader name
(Optional) Store and label the public key in the new slot on the smart card:
$ pkcs15-init --store-public-key testuserpublic.key --label testuserpublic_key --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader nameNote
If the public key corresponds to a private key and/or certificate, you should specify the same ID as that private key and/or certificate.
(Optional) Some smart cards require you to finalize the card by locking the settings:
$ pkcs15-init -F
At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.
39.8. Configuring timeouts in sssd.conf
Authentication with a smart card certificate might take longer than the default timeouts used by SSSD. Time out expiration can be caused by:
- slow reader
- a forwarding form a physical device into a virtual environment
- too many certificates stored on the smart card
- slow response from the OCSP (Online Certificate Status Protocol) responder if OCSP is used to verify the certificates
In this case you can prolong the following timeouts in the
sssd.conf file, for example, to 60 seconds:
- You must be logged in as root.
[root@idmclient1 ~]# vim /etc/sssd/sssd.conf
Change the value of
[pam] p11_child_timeout = 60
Change the value of
[domain/IDM.EXAMPLE.COM] krb5_auth_timeout = 60
- Save the settings.
Now, the interaction with the smart card is allowed to run for 1 minute (60 seconds) before authentication will fail with a timeout.
39.9. Creating certificate mapping rules for smart card authentication
If you want to use one certificate for the same user who has accounts in AD (Active Directory) and in IdM (Identity Management) too, you can create a certificate mapping rule on the IdM server. After creating such a rule, the user is able to authenticate with their smart card in both domains.
For details about certificate mapping rules, see Certificate mapping rules for configuring authentication on smart cards.