a question on Kerberos TGS name

[luxInteg]

On Thursday 16 February 2012 11:07:24 Mantas Mikulėnas wrote:
> It's otherName, but far more complex, unfortunately. See this example,
> both [kdc_cert] and [client_cert] sections:
> 
> <http://k5wiki.kerberos.org/wiki/Pkinit_configuration#Extensions_file>

thanks for the link.  The link explains how to generate selfsigned 
certificates for krb5.   This is what I gathered:-

---------for the kdc
openssl genrsa -out kdckey.pem 2048 
openssl req -new -out kdc.req -key kdckey.pem

REALM=EXAMPLE.COM; 
export REALM CLIENT=<kdc-name.example.com>; 
export CLIENT 

openssl x509 -req -in kdc.req \
-CAkey cakey.pem \
-CA cacert.pem \
-out kdc.pem \
-extfile pkinit_extensions \
-extensions kdc_cert \
-CAcreateserial


---------for the krb5 client
openssl genrsa -out clientkey.pem 2048
openssl req -new -key clientkey.pem -out client.req

REALM=EXAMPLE.COM; 
export REALM CLIENT=alice; export CLIENT 

openssl x509 -CAkey cakey.pem -CA cacert.pem \
-req -in client.req \
-extensions client_cert \
-extfile pkinit_extensions \
-out client.pem



A question:-
for the kdc  can ( kdc.pem,kdckey.pem,cacert.pem )
or for the client can  (clientkey.pem,client.pem,cacert.pem )
  
these (for each) be combined in  one file and converted to .der  and would 
such a fiile be useable by krb5?

and if so  would these lines  in ~krb5.conf
pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem 
pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem

now  read
pkinit_identity = FILE:/var/lib/krb5kdc/somefile.der
pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem

?

thanks in advance

sincerely
luxInteg