Hello team,
I’m part of Dogtag PKI open-source project [1]. Our team strives to provide
enterprise-class open-source Public Key Infrastructure (PKI) [2].
Dogtag PKI server is a Java web application running on Tomcat. Currently,
we have a stand-alone Java AWT client tool called pkiconsole to access PKI
services on the server. PKI users are authenticated using client
certificates stored in LDAP. These users only exist in LDAP, they are not
users on the host itself.
We are trying to convert pkiconsole into a web application. We had a chance
to look at Cockpit from a very high-level and have some questions. I’m
reaching out to the members of the Cockpit team, before we could make a
concrete decision on whether Cockpit is a perfect choice for us.
The questions are:
1. According to [3] Cockpit seems to require the host to join the IdM
domain in order to authenticate PKI users into Cockpit using client cert
auth. Is it possible to use client cert auth without joining a domain? Will
that require major changes in Cockpit?
2. Suppose the user has been authenticated into Cockpit using a client cert
as described in #1, is it possible for Cockpit to use the same client
certificate auth to access PKI server? Or do we need to use a different
auth mechanism?
Regards,
The PKI Team
[1]
https://github.com/dogtagpki/pki
[2]
https://www.dogtagpki.org/wiki/PKI_Main_Page
[3]
https://cockpit-project.org/guide/latest/cert-authentication