[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Certificates for Pkinit
we have proved heimdal and pkinit at our organization and we think
it is very good, because we needed a system able to authenticate clients
However we want a confirmation about the requirements of certificates:
The KDC should have an EKU and a subjectAltName (OtherName) that is
The EKU is 188.8.131.52.184.108.40.206
The subjectAltName is of the type OtherName using the oid 220.127.116.11.5.2.2
and with a DER encoded KRB5PrincipalName in the data part with the
realms krbtgt principal in the KRB5PrincipalName.
The certificates for the clients must have a EKU id-pkekuoid
(18.104.22.168.22.214.171.124) and a DER encoded domain in the SubjectAltName in the
certificate using OtherName
Is it all correct ?
If our CA can't match these requirements is there a walkaround?