[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


30 nov 2006 kl. 16.23 skrev Alberto Fondi:

> Hi group,
>    I read documentation about Heimdal, but i don't understand the  
> requirerement written in section 4.19 about client and server  
> certificate to use pkinit
> Is there anyone that could explain me?

What will matter most for easy of configuration and working with other
implementation is the KDC certificates.

The KDC should have an EKU and a subjectAltName (OtherName)
that is PK-INIT specific.

The EKU is

The subjectAltName is of the type OtherName using the oid
and with a DER encoded KRB5PrincipalName in the data part with the
realms krbtgt principal in the KRB5PrincipalName.

How you make your CA issuing this kind of certificate is a diffrent  

There are example in lib/hx509/data that generate such certificates
using openssl 0.9.8.

You can turn of the check in the client, but then its harder to verify
for the clients (close to imposible) that its KDC isn't impersonated
so you should avoid this solution.