3 files changed, 30 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1a0893cbc..e7bf43dfd 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -92,6 +92,8 @@ option_strings = {
     'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
     'pam_account_expired_message' : _('Message printed when user account is expired.'),
     'pam_account_locked_message' : _('Message printed when user account is locked.'),
+    'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'),
+    'pam_cert_db_path' : _('Path to certificate databse with PKCS#11 modules.'),
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
 
     # [sudo]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a15f2bd05..a0a82543f 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -62,6 +62,8 @@ pam_trusted_users = str, None, false
 pam_public_domains = str, None, false
 pam_account_expired_message = str, None, false
 pam_account_locked_message = str, None, false
+pam_cert_auth = bool, None, false
+pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
 
 [sudo]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 09db9cd32..9633dacb7 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1027,6 +1027,32 @@ pam_account_locked_message = Account locked, please contact help desk.
                     </listitem>
                 </varlistentry>
                 <varlistentry>
+                    <term>pam_cert_auth (bool)</term>
+                    <listitem>
+                        <para>
+                            Enable certificate based Smartcard authentication.
+                            Since this requires additional communication with
+                            the Smartcard which will delay the authentication
+                            process this option is disabled by default.
+                        </para>
+                        <para>
+                            Default: False
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term>pam_cert_db_path (string)</term>
+                    <listitem>
+                        <para>
+                            The path to the certificate database which contain
+                            the PKCS#11 modules to access the Smartcard.
+                        </para>
+                        <para>
+                            Default: /etc/pki/nssdb (NSS version)
+                        </para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
                     <term>p11_child_timeout (integer)</term>
                     <listitem>
                         <para>