Reg: pkinit with smartcard on kerberos V5

[Lohit Valleru]

Dear Community,

I assume, i have mailed to the right community list for these kind of
questions. If i have mailed to the wrong location - may i please ask for
the respective mailing address.

I am a system administrator for a high performance cluster, and I am
thinking of setting up a smartcard authentication with kerberos.

I have already completed kerberos authentication implementation for users
of the cluster,through kinit and gssapi.

These are the steps that i have followed to setup pkinit with smartcard.

1. I have created a CA to issue the CA certificates, CAkey and use those to
create the KDC certificates and Client certificaties as mentioned in the
below link .

http://web.mit.edu/kerberos/krb5-current/doc/admin/pkinit.html

2. However, in order to use smartcard along with PAM and kerberos
authentication - i need to use the CAs given by our organization for the
smart card, for which we do not have the CA key.

My question is : If we have to use the same CA for KDC, Client and
Smartcard certificates? or if we could mention 2 different CA's to KDC for
KDC,Client certificates and Smartcard certicate?

In that way, It would be helpful - If KDC could use a self-generated CA
certificate for the KDC and Client certificate, while it will use the
Smartcard CA certificate for user login authentication with smart card.

Also, may i know how we kinit using smartcard - in order to debug if the
issue is with PAM login attempt or kerberos authentication.

I would be happy to hear from you.

Thank you

Lohit