[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates for Pkinit

To: Alberto Fondi <alberto.fondi@lnf.infn.it>
Subject: Re: Certificates for Pkinit
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Fri, 15 Dec 2006 15:47:44 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <45829535.9080400@lnf.infn.it>
References: <45829535.9080400@lnf.infn.it>
Sender: owner-heimdal-discuss@sics.se

15 dec 2006 kl. 13.29 skrev Alberto Fondi:

> [requirements]

For the KDC the requirement it correct.

The client needs neither a EKU nor SAN.

The (clients) SAN is used to avoid configurating ACLs (subject dn to  
principal matching)
on the KDC.

> If our CA can't match these requirements is there a walkaround?

For the KDC certificate, you can put the following in the krb5.conf  
file.
But note that this is a security risk since now anyone with a valid  
certificate
can fake a KDC response.

[realms]
         EXAMPLE.COM = {
		pkinit_require_eku = n
		pkinit_require_krbtgt_otherName = no


Love

Follow-Ups:
- thank you
  - From: Alberto Fondi <alberto.fondi@lnf.infn.it>

References:
- Certificates for Pkinit
  - From: Alberto Fondi <alberto.fondi@lnf.infn.it>

Prev by Date: Re: Subject alternative name
Next by Date: thank you
Prev by thread: Certificates for Pkinit
Next by thread: thank you
Index(es):
- Date
- Thread