X.509 Interop
Douglas E. Engert
deengert at anl.gov
Sun Nov 20 08:13:57 EST 2005
rektide at gmail.com wrote:
> I saw KX.509. I'm glad to see so much discussino about it here, a
> publicly visible project makes me feel much happier about the concept.
>
> My understanding is KX.509 uses a KCA server to generate the X.509
> certificates off of a kerberos backend. (I'm confident there's
> something at least mildly technically wrong with that statement). Does
> anyone here have experience setting up the KCA server? I'd be most
> thankful to hear any sort of reports on how difficult it was to set up.
It was trivial to setup. It compiles with OpenSSL and Kerberos. You
can use OpenSSL to generate the CA certificate and key. Since the
intent is that the certificates are short term based on the life
of the Kerberos ticket, there are no CRLs (but there could be.)
The KCA has a Kerberos service principal like any other Kerberos
service. Ir client authenticates to the KCA, and a key pair,
created a request and sends it securely to the KCA. The KCA takes
the principal and lifetime for the ticket and uses them for the
certificate, and returns the certificate to the kx509 client.
So each time a user requests a certificate, the subject name remains
the same, but it has a new key and lifetimes. So SSL/TLS servers like
a web server, can use the principal name for authorization.
>
> Looks like the way to go though, thank you guys very much. I will be
> sure to investigate.
> Rektide
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list