X.509 Interop
Frank J. Nagy
nagy at fnal.gov
Fri Nov 18 19:59:04 EST 2005
> My understanding is KX.509 uses a KCA server to generate the X.509
> certificates off of a kerberos backend. (I'm confident there's
> something at least mildly technically wrong with that statement). Does
> anyone here have experience setting up the KCA server? I'd be most
> thankful to hear any sort of reports on how difficult it was to set up.
We (Fermilab) operate a Kerberos-based single-signon system using an
array of MIT-Kerberos-based KDCs (key distribution centers, one Master
and multiple slaves to spread the load) as well as trust relations with
the Windows Active Domain. I mention this to point out that we make
extensive use of Kerberos.
We also operate a pair of KCAs (Kerberos Certificate Authorities). One
obtains a Kerberos ticket (kinit) and then uses kx509 to get a certificate
based on holding this ticket. We operate a pair of KCAs to spread the
load and provide redundancy. Our KCAs are under heavy load due to extensive
use of KCA certificates for Grid computing by the CDF experiment (for instance).
Visit our Security web pages at http://security.fnal.gov/ to learn more.
--
= Dr. Frank J. Nagy [Applied Scientist]
= Fermilab Computing Division/Computer Security Team
= nagy at fnal.gov (Alt: f.nagy at sbcglobal.net or nagy at inil.com)
= Web page: http://home.fnal.gov/~nagy/
= Feynman Computing FCC358 630-840-4935 FAX 840-8208
= USnail: Fermilab POB 500 MS/3699 Batavia, IL 60510
= ICBM: 41d 50m 14s N, 88d 15m 48s W, 741 ft ASL
More information about the Kerberos
mailing list