The purpose of this document is to demonstrate how to configure CA PAM to use smart cards(PKI). In short, you have install the root and intermediate certificates into PAM, which are required by the certificate on your smart card. You will also have to install in PAM any CRLs that are required by the certificates. On the Config à Security page, you will have to enable PKI and make the PKI button visible. Your users can then attempt to login using the PKI button. There first attempt will fail, as each such CAC user must be approved by a PAM Admin. Once that is done your users will be able to login with PKI. That’s the short story. Details may be found in the attached document.
Awesome, article Ed. Worked like a charm.
One additional question though, how can I make it work using LDAP authentication, what I mean is that instead of uploading a root cert and CRLs I want PAM to send the certificate to LDAP to authenticate (which has both root cert and CRL). Is there a way we can do it in PAM.
Thanks . I tried and it works us explained in the doc.
The only thing I wasn't able to config was the automatic CRL download. It says
"Can't update CRL configuration: There is invalid CRL file"
Thanks once again for this tech tip