[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates for Pkinit

15 dec 2006 kl. 13.29 skrev Alberto Fondi:

> [requirements]

For the KDC the requirement it correct.

The client needs neither a EKU nor SAN.

The (clients) SAN is used to avoid configurating ACLs (subject dn to  
principal matching)
on the KDC.

> If our CA can't match these requirements is there a walkaround?

For the KDC certificate, you can put the following in the krb5.conf  
But note that this is a security risk since now anyone with a valid  
can fake a KDC response.

         EXAMPLE.COM = {
		pkinit_require_eku = n
		pkinit_require_krbtgt_otherName = no