[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificates for Pkinit

Hi group,

    we have proved heimdal and pkinit at our organization and we think 
it is very good, because we needed a system able to authenticate clients 
with certificates.

However we want a confirmation about the requirements of certificates:

The KDC should have an EKU and a subjectAltName (OtherName) that is 
PK-INIT specific.
The EKU is

The subjectAltName is of the type OtherName using the oid 
and with a DER encoded KRB5PrincipalName in the data part with the 
realms krbtgt principal in the KRB5PrincipalName.

The certificates for the clients must have a EKU id-pkekuoid 
( and a DER encoded domain in the SubjectAltName in the 
certificate using OtherName

Is it all correct ?

If our CA can't match these requirements is there a walkaround?