FreeIPA Server-Client Setup with Smartcard (Yubikey)

Rocky Linux Help & Support
1

Good day everyone and I hope you’re doing great!

I have been trying to set up a FreeIPA server and client, with access to the FreeIPA server via a smartcard (in this case a YubiKey 5C NFC) and was wondering if anyone was knowledgeable about some of the issues I have ran into.

Please see my setup below and a description of the issues I have encountered so far.

Setup

  • Two nodes, each running Rocky Linux 9.5 connected to each other on a LAN.

  • One node (Host A) is the FreeIPA server. This has an FQDN of freeipa-server.example.local.

  • The other node (Host B) is the FreeIPA client. This has an FQDN of freeipa-client.example.local

  • The YubiKey 5C NFC (with firmware 5.4.3) is directly connected to Host B via USB.

  • SELinux is set to Permissive mode on both hosts. Appropriate Firewall ports have been opened.

  • No root certificates, intermediary certificates or any similar were created during the FreeIPA server setup process.

  • This is just a local test setup, nothing production-related.

What Works

  • Generating a Certificate Signing Request on the Yubikey, logging into the FreeIPA server with my user account, importing the CSR there, downloading the certificate that is created and then importing that into my Yubikey.

  • Setting up the FreeIPA server with ipa-server-install --setup-dns --auto-reverse and the FreeIPA client with ipa-client-install --enable-dns-updates --mkhomedir works without issue.

  • Requesting a kerberos ticket for the admin account with kinit admin.

  • Accessing the FreeIPA server via the client and logging in with the credentials generated through ipa user-add howard --password --homedir=/home/howard --shell=/bin/bash.

  • Logging into the FreeIPA server via the FreeIPA client using the web UI is no problem.

What Does Not Work

  • At the ROCKY IDENTITY MANAGEMENT screen on the FreeIPA server, I click Log In Using Certificate. I then receive the error message of Authentication with personal certificate failed. To reiterate, the Yubikey is connected to the FreeIPA client, which is then accessing the FreeIPA server.

  • I check the httpd error log at /var/log/httpd/error_log and observe the following:

[Mon Apr 14 17:53:10.796638 2025] [ssl:error] [pid 20256:tid 20299] [client 192.168.1.12:53646] AH02263: Re-negotiation handshake failed: Client certificate missing, referer: https://freeipa-server.example.local/ipa/ui/

  • From the output of my /var/log/sssd/* logs, I did not observe any errors there surrounding the above issue.

  • From the output of sssctl user-checks -s gdm-smartcard "howard" -a auth on the FreeIPA Server, I can see the following, which is concerning to me (the full output is linked below):

auth=authinfo_unavail
pam_authenticate for user [howard]: Authentication service cannot retrieve authentication info

PAM Environment:
 - no env -
  • I had added the following to /etc/sssd/sssd.conf, then restarted sssd with systemctl restart sssd and still saw no change:
[pam]
pam_cert_auth = True

  • I tried directly connecting my Yubikey to the FreeIPA server and logging in locally that way as well and also saw the same error messages of Re-negotiation handshake failed: Client certificate missing.

  • One item in the main guide that I followed mentions running the following commands (also from Red Hat as well) and supplying the required certificates:

kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod u+x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh ca.crt.pem

  • This I have tried, however you need to supply rootca.pem subca.pem issuingca.pem certificates, which I understand you can generate with openssl.

  • In my local setup that I have here, is the generation of your own certificates, including a certificate authority also a requirement? Is that part of the reason I am seeing the Re-negotiation handshake failed: Client certificate missing errors that I listed above?

  • I had [ssl:error] [pid 15019:tid 15204] SSL Library Error: error:0A000117:SSL routines::extension not received errors from httpd previously, which I fixed in Firefox by going to about:config → and setting security.tls.enable_post_handshake_auth to true.

Configs and Logs

Guides Consulted

Closing thoughts

If there are any troubleshooting steps that I can further try or an example FreeIPA setup that has Yubikey authentication working, please let me know and I’d be more than happy to try those out.

It is also not a problem at all for me to scrap the whole setup and start afresh, regarding how I have configured my Yubikey and the certificates.

If you need any further outputs from me, please let me know and I’d be more than happy to send you those.

Thanks ever so much for anyone that takes the time to reply here and this has been an issue I have been stuck on for a while now.