[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EKU

To: Alberto Fondi <alberto.fondi@lnf.infn.it>
Subject: Re: EKU
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Fri, 1 Dec 2006 12:35:03 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <456EF762.1090504@lnf.infn.it>
References: <456EF762.1090504@lnf.infn.it>
Sender: owner-heimdal-discuss@sics.se


30 nov 2006 kl. 16.23 skrev Alberto Fondi:

> Hi group,
>
>    I read documentation about Heimdal, but i don't understand the  
> requirerement written in section 4.19 about client and server  
> certificate to use pkinit
> Is there anyone that could explain me?

What will matter most for easy of configuration and working with other
implementation is the KDC certificates.

The KDC should have an EKU and a subjectAltName (OtherName)
that is PK-INIT specific.

The EKU is 1.3.6.1.5.2.3.5

The subjectAltName is of the type OtherName using the oid 1.3.6.1.5.2.2
and with a DER encoded KRB5PrincipalName in the data part with the
realms krbtgt principal in the KRB5PrincipalName.

How you make your CA issuing this kind of certificate is a diffrent  
matter.

There are example in lib/hx509/data that generate such certificates
using openssl 0.9.8.

You can turn of the check in the client, but then its harder to verify
for the clients (close to imposible) that its KDC isn't impersonated
so you should avoid this solution.

Love

Prev by Date: Re: pkinit_require_eku
Next by Date: No Subject
Prev by thread: Re: 4.23.2 Using Kerberos database
Next by thread: No Subject
Index(es):
- Date
- Thread