[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKINIT - hash for CA key

To: kouril@ics.muni.cz
Subject: PKINIT - hash for CA key
From: "STEWARD, Curtis (Jamestown)" <Curtis.Steward@trw.com>
Date: Mon, 21 Oct 2002 08:15:30 -0400
Cc: heimdal-discuss@sics.se
Sender: owner-heimdal-discuss@sics.se

Title: PKINIT - hash for CA key

Dan,

Thanks for the new PKINIT patch for .5. I need to clarify
the hashing used for pki-ca-dir. I'm getting the server
keys, but the CA key is not being found. I understood
that the CA key(s) need to be hased. I did the following:

openssl x509 -noout -hash -in cacert.pem
ln -s cacert.pem f871f896

[root@localhost tmp]# ls -alt ca
total 5
drwxrwxrwt    8 root     root         2048 Oct 20 17:39 ../
drwxrwxrwx    2 root     root         1024 Oct 20 13:37 ./
-rwxrwxrwx    1 root     root         1415 Oct 20 13:37 cacert.pem*
lrwxrwxrwx    1 root     root           10 Oct 20 12:47 f871f896 ->
cacert.pem*
[root@localhost tmp]# ls -alt keys
total 14
drwxr-xr-x    3 root     root         1024 Oct 20 17:47 ./
drwxr-xr-x    2 root     root         1024 Oct 20 17:47 old/
drwxrwxrwt    8 root     root         2048 Oct 20 17:39 ../
-rw-r--r--    1 root     root         4570 Oct 20 13:12 keith.crt
-rw-r--r--    1 root     root         1078 Oct 20 13:11 keith.csr
-rw-r--r--    1 root     root          451 Oct 20 13:10 keithpub.pem
-rw-r--r--    1 root     root         1743 Oct 20 13:10 keith.pem

[root@localhost heimdal]# /usr/heimdal/libexec/kdc
Enter your private key passphrase:
kdc: can't enable pkinit support: No CA certificate(s) found

It appears that the passphrase for keith is working just fine,
but then I error on the CA key. Is the above correct, or do you
have some examples I can try? I've attached config.

Thanks,

############################################################
/var/heimdal/kdc.conf
[realms]
jms.domain.com = {
supported_keytypes = des:normal
}

[kdc]
enable-pkinit = yes
pki-certificate = /var/tmp/keys/keith.crt
pki-private-key = /var/tmp/keys/keith.pem
pki-ca-dir = /var/tmp/ca
pki-allowed-principals = {
root = /O=Test/OU=North America/CN=keith.jms.domain.com
}

############################################################
/etc/krb5.conf
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = jms.domain.com
        clockskew = 300
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
        jms.domain.com = {
                kdc = keith.jms.domain.com:88
                admin_server = keith.jms.domain.com:749
                pkinit_server = keith.jms.domain.com
                default_domain = jms.domain.com
        }
        OTHER.REALM = {
                v4_instance_convert = {
                        kerberos = kerberos
                        computer = computer.some.other.domain
                }
        }

[domain_realm]
.my.domain = jms.domain.com
jms.domain.com = JMS.DOMAIN.COM

[kdc]
profile = /var/heimdal/kdc.conf

Follow-Ups:
- Re: PKINIT - hash for CA key
  - From: Mario Strasser <mario.strasser@zhwin.ch>

Prev by Date: Re: kdc upgrade gives key length error
Next by Date: Re: Kaserver interface sometimes fails on requests with small lifetimes
Prev by thread: New version of PKINIT
Next by thread: Re: PKINIT - hash for CA key
Index(es):
- Date
- Thread