a question on Kerberos TGS name

Mantas Mikulėnas grawity at gmail.com
Thu Feb 16 06:07:24 EST 2012


On 2012-02-16 12:07, luxInteg wrote:
> thanks 
> Now the manpage for x509 has this excerpt (n setting subjectAltName
> in certificates
> ---------
> Examples: 
>  subjectAltName=email:copy,email:my at other.address,URI:http://my.url.here/
>  subjectAltName=IP:192.168.7.1
>  subjectAltName=IP:13::17
>  subjectAltName=email:my at other.address,RID:1.2.3.4
>  subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
> ------
> i.e. there are uRLs for email:,  IP: and I think there is one for DNS:
> But with a label such as 
> krbtgt/REALMNAME at REALMNAME
> 
> I am unsure if the 5th line above applies { and/or how}.  So  I would be 
> grateful for an explanation on how
> subjectAltName  or otherName   is set. in openssl.cnf
> (for krbtgt/REALMNAME at REALMNAME )

It's otherName, but far more complex, unfortunately. See this example,
both [kdc_cert] and [client_cert] sections:

<http://k5wiki.kerberos.org/wiki/Pkinit_configuration#Extensions_file>

-- 
Mantas Mikulėnas <grawity at gmail.com>


More information about the Kerberos mailing list