Hello team, I’m part of Dogtag PKI open-source project [1]. Our team strives to provide enterprise-class open-source Public Key Infrastructure (PKI) [2]. Dogtag PKI server is a Java web application running on Tomcat. Currently, we have a stand-alone Java AWT client tool called pkiconsole to access PKI services on the server. PKI users are authenticated using client certificates stored in LDAP. These users only exist in LDAP, they are not users on the host itself. We are trying to convert pkiconsole into a web application. We had a chance to look at Cockpit from a very high-level and have some questions. I’m reaching out to the members of the Cockpit team, before we could make a concrete decision on whether Cockpit is a perfect choice for us. The questions are: 1. According to [3] Cockpit seems to require the host to join the IdM domain in order to authenticate PKI users into Cockpit using client cert auth. Is it possible to use client cert auth without joining a domain? Will that require major changes in Cockpit? 2. Suppose the user has been authenticated into Cockpit using a client cert as described in #1, is it possible for Cockpit to use the same client certificate auth to access PKI server? Or do we need to use a different auth mechanism? Regards, The PKI Team [1] https://github.com/dogtagpki/pki [2] https://www.dogtagpki.org/wiki/PKI_Main_Page [3] https://cockpit-project.org/guide/latest/cert-authentication